10.10.3.5. Searching For and Viewing Denials
This section assumes the
setroubleshoot,
setroubleshoot-server,
dbus and
audit packages are installed, and that the
auditd,
rsyslogd, and
setroubleshootd daemons are running. Refer to
Section 10.4.2, “Which Log File is Used” for information about starting these daemons. A number of utilites are available for searching for and viewing SELinux AVC messages, such as
ausearch,
aureport, and
sealert.
ausearch
The
audit package provides the
ausearch utility that can query the
audit daemon logs based for events based on different search criteria.
The
ausearch utility accesses
/var/log/audit/audit.log, and as such, must be run as the root user:
| Searching For | Command |
|---|
| all denials | ausearch -m avc |
| denials for that today | ausearch -m avc -ts today |
| denials from the last 10 minutes | ausearch -m avc -ts recent |
To search for SELinux AVC messages for a particular service, use the -c comm-name option, where comm-name is the executable’s name, for example, httpd for the Apache HTTP Server, and smbd for Samba:
~]# ausearch -m avc -c httpd
~]# ausearch -m avc -c smbd
With each ausearch command, it is advised to use either the --interpret (-i) option for easier readability, or the --raw (-r) option for script processing. Refer to the ausearch(8) manual page for further ausearch options.
aureport
The
audit package provides the
aureport utility, which produces summary reports of the audit system logs.
The
aureport utility accesses
/var/log/audit/audit.log, and as such, must be run as the root user. To view a list of SELinux denial messages and how often each one occurred, run the
aureport -a command. The following is example output that includes two denials:
~]# aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
sealert
The
setroubleshoot-server package provides the
sealert utility, which reads denial messages translated by
setroubleshoot-server.
Denials are assigned IDs, as seen in
/var/log/messages. The following is an example denial from
messages:
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020
In this example, the denial ID is 84e0b04d-d0ad-4347-8317-22e74f6cd020. The -l option takes an ID as an argument. Running the sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020 command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd, dbus and auditd daemons are running, a warning is displayed when access is denied by SELinux.
Run the sealert -b command to launch the sealert GUI.
Run the sealert -l \* command to view a detailed analysis of all denials.
As root, run the sealert -a /var/log/audit/audit.log -H > audit.html command to create a HTML version of the sealert analysis, as seen with the sealert GUI.
