Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Red Hat Enterprise Linux 9 Essentials Book now available.

Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials

Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages

Preview Book

44.3. Analyst Control of SELinux

This section describes some common tasks that a security analyst might need to perform on an SELinux system.

44.3.1. Enabling Kernel Auditing

As part of an SELinux analysis or troubleshooting exercise, you might choose to enable complete kernel-level auditing. This can be quite verbose, because it generates one or more additional audit messages for each AVC audit message. To enable this level of auditing, append the audit=1 parameter to your kernel boot line, either in the /etc/grub.conf file or on the GRUB menu at boot time.

This is an example of a full audit log entry when httpd is denied access to ~/public_html because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:

Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	avc:  denied  { getattr } for  pid=2239 exe=/usr/sbin/httpd \
	path=/home/auser/public_html dev=hdb2 ino=921135 \
	scontext=user_u:system_r:httpd_t \
	tcontext=system_u:object_r:user_home_t tclass=dir

The following audit message tells more about the source, including the kind of system call involved, showing that httpd tried to stat the directory:

Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \
	a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \
	suid=48 fsuid=48 egid=48 sgid=48 fsgid=48

The following message provides more information about the target:

Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	item=0 name=/home/auser/public_html inode=921135 dev=00:00

The serial number stamp is always identical for a particular audited event. The time stamp may or may not be identical.


If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into a location other than /var/log/messages, such as /var/log/audit/audit.log. Red Hat Enterprise Linux 5 does not currently ship with an audit daemon.

44.3.2. Dumping and Viewing Logs

The Red Hat Enterprise Linux 5 implementation of SELinux routes AVC audit messages to /var/log/messages. You can use any of the standard search utilities (for example, grep), to search for lines containing avc or audit.

  Published under the terms of the Open Publication License Design by Interspire