10.10.3.6. Raw Audit Messages
Raw audit messages are logged to /var/log/audit/audit.log
. The following is an example AVC denial message (and the associated system call) that occurred when the Apache HTTP Server (running in the httpd_t
domain) attempted to access the /var/www/html/file1
file (labeled with the samba_share_t
type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
- { getattr }
The item in the curly brackets indicates the permission that was denied. The getattr
entry indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having a wrong label. Commonly seen permissions include getattr
, read
, and write
.
- comm="httpd"
The executable that launched the process. The full path of the executable is found in the exe=
section of the system call (SYSCALL
) message, which in this case, is exe="/usr/sbin/httpd"
.
- path="/var/www/html/file1"
The path to the object (target) the process attempted to access.
- scontext="unconfined_u:system_r:httpd_t:s0"
The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the httpd_t
domain.
- tcontext="unconfined_u:object_r:samba_share_t:s0"
The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of file1
. Note that the samba_share_t
type is not accessible to processes running in the httpd_t
domain.
In certain situations, the tcontext
may match the scontext
, for example, when a process attempts to execute a system service that will change characteristics of that running process, such as the user ID. Also, the tcontext
may match the scontext
when a process tries to use more resources (such as memory) than normal limits allow, resulting in a security check to see if that process is allowed to break those limits.
From the system call (SYSCALL
) message, two items are of interest:
success=no
: indicates whether the denial (AVC) was enforced or not. success=no
indicates the system call was not successful (SELinux denied access). success=yes
indicates the system call was successful. This can be seen for permissive domains or unconfined domains, such as initrc_t
and kernel_t
.
exe="/usr/sbin/httpd"
: the full path to the executable that launched the process, which in this case, is exe="/usr/sbin/httpd"
.
An incorrect file type is a common cause for SELinux denying access. To start troubleshooting, compare the source context (scontext
) with the target context (tcontext
). Should the process (scontext
) be accessing such an object (tcontext
)? For example, the Apache HTTP Server (httpd_t
) should only be accessing types specified in the httpd_selinux(8) manual page, such as httpd_sys_content_t
, public_content_t
, and so on, unless configured otherwise.