Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




<< Previous Adding a New User Domain
Table of Contents
SELinux Resources Next >>

7. Explanation of log file messages

The following are examples of logged messages. I'll explain what each part of a log message means. For easier reading, I've split the log messages across lines.

Sometimes the logs aren't as clear as you would like, so it's handy to know that for ReiserFS and Ext2/Ext3 (the file systems supported by SE Linux) the root inode is number 2.

The XFS and JFS file systems have not been thoroughly tested at this time.

Example 1

avc:  denied  { getattr } for  pid=6011 exe=/usr/bin/vim path=/etc/shadow dev=03:03 ino=123456 \

sc tc t
In this example, an unprivileged user (faye) attempted to edit /etc/shadow when the system was in enforcing mode.

The "avc: denied" means that the operation was refused.
The "{ getattr }" means that someone tried to stat() the file. In this case, the file's attributes were looked up first (or at least, the operation tried to look them up), couldn't get those attributes and gave up.

The contents of the braces {} contain the operation or operations that were relevant to what SE Linux was doing. SE Linux can audit both allow and deny events, and in this case was auditing a deny and as such, tells you want was denied.

"for pid=" is the process id of your operation.
"exe=/usr/bin/vim" is the command you executed (in this case, vim).
"path=/etc/shadow" is the path to the object you tried to perform an operation on.
"dev=03:03" is the device number of the block device used for the file system concerned. So the first "03" means hda and the second "03" is 3, so this "dev=03:03" refers to /dev/hda3 (or if you're running devfs /dev/ide/host0/bus0/target0/lun0/part3). When SE Linux is auditing permissions it doesn't know the full path of the object you're trying to perform an operation on so it can't log anything but the device that you mounted and the location within the device. All it knows is the path relative to the file system, and the block device number for the file system. Say you access /etc/shadow. SE Linux doesn't know this file is in the root file system. All it knows is that the file is /etc/shadow within the file system it is working on.
"ino=123456" is the inode number of the object (in this case /etc/shadow)
"sc is the source context of the process performing the operation.
"tc is the security context of the target object (/etc/shadow).
"t means that the target object is a file.

Example 2

avc:  granted  { avc_toggle } for  pid=6073 exe=/sbin/avc_toggle \

sc tc t
The "avc: granted" means that your operation was accepted and executed.
The "{ avc_toggle }" means that a program called the avc_toggle() system call.
The "t means that the target process belongs to the system class.

Example 3

avc:  denied  { append } for  pid=6153 exe=/bin/bash path=/.bash_history dev=03:03 ino=498 \

sc tc t
This message means that idenity faye in the user_r:user_t role:domain tried to append to root's .bash_history file which is of type root_t, and was denied.

Example 4

avc:  denied  { write } for  pid=605 exe=/bin/touch dev=09:03 ino=2 \
sc tc t
In this example, notice that the path is missing. However, we can tell it is the root directory because of the inode number which is 2.

  Published with kind permission of Faye Coker Design by Interspire