nerdexam
ExamsCAS-003Questions#812
CompTIA

CAS-003 · Question #812

CAS-003 Question #812: Real Exam Question with Answer & Explanation

The correct answer is B: Set the devices to enforcing. The scenario describes SELinux (Security-Enhanced Linux / Android's MAC implementation) logging 'deny' messages in dmesg, yet the denied actions are still being permitted. This behavior is characteristic of SELinux running in permissive mode. In permissive mode, policy violations

Question

A security analyst is validating the MAC policy on a set of Android devices. The policy was written to ensure non-critical applications are unable to access certain resources. When reviewing dmesg, the analyst notes many entries such as: Despite the deny message, this action was still permit following is the MOST likely fix for this issue?

Options

  • AAdd the objects of concern to the default context.
  • BSet the devices to enforcing
  • CCreate separate domain and context files for irc.
  • DRebuild the policy, reinstall, and test.

Explanation

The scenario describes SELinux (Security-Enhanced Linux / Android's MAC implementation) logging 'deny' messages in dmesg, yet the denied actions are still being permitted. This behavior is characteristic of SELinux running in permissive mode. In permissive mode, policy violations are logged but NOT enforced - processes continue despite the denial. In enforcing mode, denials are both logged AND blocked. Setting the devices to enforcing mode (B) causes SELinux to actually block the denied actions, making the MAC policy effective. This is a common misconfiguration where policies are written and tested in permissive mode but never switched to enforcing mode in production.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice