XK0-004 · Question #231
A user receives an access_denied error when trying to modify a file, even though the file permissions are set to 777. Which of the following commands should be used to view additional file permissions
The correct answer is C. ls -z. When POSIX file permissions are 777 but access is still denied, SELinux mandatory access control context labels are the likely cause and must be inspected.
Question
A user receives an access_denied error when trying to modify a file, even though the file permissions are set to 777. Which of the following commands should be used to view additional file permissions?
Options
- Agetsebool
- Bgetenforce
- Cls -z
- Dps -z
How the community answered
(29 responses)- A3% (1)
- B3% (1)
- C83% (24)
- D10% (3)
Why each option
When POSIX file permissions are 777 but access is still denied, SELinux mandatory access control context labels are the likely cause and must be inspected.
`getsebool` queries the on/off state of SELinux policy boolean variables, not the security context label assigned to a specific file.
`getenforce` reports the overall SELinux enforcement mode (Enforcing, Permissive, or Disabled) for the system and does not display per-file security context labels.
The `ls -z` command displays the SELinux security context labels assigned to files, which are enforced independently of and in addition to standard rwx permissions. Because SELinux mandatory access control evaluates process and file context labels separately from POSIX permissions, a mismatch in those labels will produce an access_denied error even on a world-writable file, making `ls -z` the correct diagnostic step.
`ps -z` displays the SELinux context associated with running processes, not the context or permission labels of individual files on the filesystem.
Concept tested: Viewing SELinux file security context labels
Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/index
Topics
Community Discussion
No community discussion yet for this question.