nerdexam
CompTIA

XK0-004 · Question #231

A user receives an access_denied error when trying to modify a file, even though the file permissions are set to 777. Which of the following commands should be used to view additional file permissions

The correct answer is C. ls -z. When POSIX file permissions are 777 but access is still denied, SELinux mandatory access control context labels are the likely cause and must be inspected.

Security

Question

A user receives an access_denied error when trying to modify a file, even though the file permissions are set to 777. Which of the following commands should be used to view additional file permissions?

Options

  • Agetsebool
  • Bgetenforce
  • Cls -z
  • Dps -z

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    83% (24)
  • D
    10% (3)

Why each option

When POSIX file permissions are 777 but access is still denied, SELinux mandatory access control context labels are the likely cause and must be inspected.

Agetsebool

`getsebool` queries the on/off state of SELinux policy boolean variables, not the security context label assigned to a specific file.

Bgetenforce

`getenforce` reports the overall SELinux enforcement mode (Enforcing, Permissive, or Disabled) for the system and does not display per-file security context labels.

Cls -zCorrect

The `ls -z` command displays the SELinux security context labels assigned to files, which are enforced independently of and in addition to standard rwx permissions. Because SELinux mandatory access control evaluates process and file context labels separately from POSIX permissions, a mismatch in those labels will produce an access_denied error even on a world-writable file, making `ls -z` the correct diagnostic step.

Dps -z

`ps -z` displays the SELinux context associated with running processes, not the context or permission labels of individual files on the filesystem.

Concept tested: Viewing SELinux file security context labels

Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/index

Topics

#SELinux#extended permissions#file access control#ls -z

Community Discussion

No community discussion yet for this question.

Full XK0-004 Practice