5.2. Which Log File is Used
In Fedora 11, the setroubleshoot-server and audit packages are installed if packages are not removed from the default package selection. These packages include the setroubleshootd
and auditd
daemons respectively. These daemons run by default.
SELinux denial messages, such as the following, are written to /var/log/audit/audit.log
by default:
type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
Also, if setroubleshootd
is running, which it is by default, denial messages from /var/log/audit/audit.log
are translated to an easier-to-read form and sent to /var/log/messages
:
May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
Denial messages are sent to a different location, depending on which daemons are running:
Daemon |
Log Location |
auditd on |
/var/log/audit/audit.log
|
auditd off; rsyslogd on |
/var/log/messages
|
setroubleshootd, rsyslogd, and auditd on |
/var/log/audit/audit.log . Easier-to-read denial messages also sent to /var/log/messages
|
To configure the auditd
, rsyslogd
, and setroubleshootd
daemons to automatically start at boot, run the following commands as the Linux root user:
/sbin/chkconfig --levels 2345 auditd on
/sbin/chkconfig --levels 2345 rsyslog on
/sbin/chkconfig --levels 345 setroubleshoot on
Use the service
service-name
status
command to check if these services are running, for example:
$ /sbin/service auditd status
auditd (pid
1318
) is running...
If the above services are not running (
service-name
is stopped
), use the service
service-name
start
command as the Linux root user to start them. For example:
# /sbin/service setroubleshoot start
Starting setroubleshootd: [ OK ]