XK0-005 Question #231: Real Exam Question with Answer & Explanation

Question

A user receives an access_denied error when trying to modify a file, even though the file permissions are set to 777. Which of the following commands should be used to view additional file permissions?

Options

• Agetsebool
• Bgetenforce
• Cls -z
• Dps -z

Explanation

Even with full file permissions, SELinux can deny access; therefore, viewing the file's SELinux security context is necessary to diagnose access_denied errors.

Common mistakes.

• A. getsebool is used to display the state of SELinux booleans, which are high-level policy controls, but it does not provide specific file context information.
• B. getenforce shows the current enforcement mode of SELinux (e.g., enforcing, permissive, disabled), indicating if SELinux is active, but not the specific reason for a file access denial.
• D. ps -Z displays the SELinux security context associated with running processes, not files, and is not relevant for diagnosing file access issues directly.

Concept tested. SELinux context and file permissions

Reference. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/viewing-and-changing-file-contexts_using-selinux

No community discussion yet for this question.