Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Red Hat Enterprise Linux 9 Essentials Book now available.

Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials

Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages

Preview Book

8.3.5. Searching For and Viewing Denials

This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the auditd, rsyslogd, and setroubleshootd daemons are running. Refer to Section 5.2, “Which Log File is Used” for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as ausearch, aureport, and sealert.
ausearch
The audit package provides ausearch. From the ausearch(8) manual page: "ausearch is a tool that can query the audit daemon logs based for events based on different search criteria"[14]. The ausearch tool accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user:
Searching For Command
all denials /sbin/ausearch -m avc
denials for that today /sbin/ausearch -m avc -ts today
denials from the last 10 minutes /sbin/ausearch -m avc -ts recent
To search for SELinux denials for a particular service, use the -c comm-name option, where comm-name "is the executable’s name"[15], for example, httpd for the Apache HTTP Server, and smbd for Samba:
/sbin/ausearch -m avc -c httpd
/sbin/ausearch -m avc -c smbd
Refer to the ausearch(8) manual page for further ausearch options.
aureport
The audit package provides aureport. From the aureport(8) manual page: "aureport is a tool that produces summary reports of the audit system logs"[16]. The aureport tool accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the aureport -a command. The following is example output that includes two denials:
# /sbin/aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
Refer to the aureport(8) manual page for further aureport options.
sealert
The setroubleshoot-server package provides sealert, which reads denial messages translated by setroubleshoot-server. Denials are assigned IDs, as seen in /var/log/messages. The following is an example denial from messages:
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
In this example, the denial ID is 84e0b04d-d0ad-4347-8317-22e74f6cd020. The -l option takes an ID as an argument. Running the sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020 command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd, dbus and auditd daemons are running, a warning is displayed when access is denied by SELinux. Clicking on 'Show' launches the sealert GUI, and displays denials in HTML output:
  • Run the sealert -b command to launch the sealert GUI.
  • Run the sealert -l \* command to view a detailed analysis of all denials.
  • As the Linux root user, run the sealert -a /var/log/audit/audit.log -H > audit.html command to create a HTML version of the sealert analysis, as seen with the sealert GUI.
Refer to the sealert(8) manual page for further sealert options.


[14] From the ausearch(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.

[15] From the ausearch(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.

[16] From the aureport(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.


 
 
  Published under the terms of the Creative Commons License Design by Interspire