avc_has_perm_noaudit - Linux


avc_has_perm_noaudit checks whether a subject has permission to perform an action on an object, without triggering an audit event.


avc_has_perm_noaudit <subject_context> <target_context> <permission> [flags]


  • -t, –type : The type of permission check to perform. Default: ‘access’.
  • -s, –source: The source of the permission check. Default: ‘system’.
  • -a, –action : The action to check for. Default: ‘read’.
  • -p, –path : The path to the object being checked.
  • –auditdenyrules: Check the denyrules as well.


Check if the current user can access a file:

avc_has_perm_noaudit $(id -u) $(stat -c '%U' /path/to/file) 'file_read'

Check if the user with UID 1000 can execute a command:

avc_has_perm_noaudit 1000 $(id -u) 'process_exec'

Common Issues

  • Incorrect context: Ensure that the subject and target contexts are specified correctly.
  • Permission not granted: Verify that the subject has the appropriate permissions to perform the action.
  • SELinux not enabled: SELinux must be enabled for this command to work.


avc_has_perm_noaudit can be used with other SELinux utilities, such as semanage and audit2allow, to manage and enforce access control policies.

Related Commands

  • getenforce: Get the current SELinux enforcement mode.
  • semanage: Manage SELinux policies and roles.
  • audit2allow: Generate SELinux policy rules based on audit events.