During post-deployment testing of a new reporting service, the administrator observes repeated AVC denial messages in /var/log/audit/audit.log similar to:
Standard UNIX permissions on /var/www/html/reports confirm that the account running the web service has write access, yet the application still fails to generate report files. On a system where SELinux is in enforcing mode, which single command should the administrator run next to inspect whether an incorrect file label is causing the problem?
The correct answer is ls -Z /var/www/html/reports. The -Z option tells ls to include the SELinux security context (user, role, type, and level) for each listed object. If the directory is mislabeled-for example, with default_t instead of an httpd_*_content_t type-SELinux will block write attempts even when UNIX permissions allow them. Examining the label is therefore the first diagnostic step.
getsebool -a only lists boolean flags and does not show file contexts. ps auxZ displays SELinux contexts for running processes, not files. sestatus reports the overall SELinux mode and policy but provides no object-specific labeling details.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the 'ls -Z' command do in SELinux diagnostics?
Open an interactive chat with Bash
What role do file labels play in SELinux?
Open an interactive chat with Bash
How is SELinux different from standard UNIX permissions?