yum install setroubleshoot
command).
auditd
daemon is running, an SELinux denial message, such as the following, is written to /var/log/audit/audit.log
by default:
type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
/var/log/message
file:
May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
setroubleshootd
no longer constantly runs as a service. However, it is still used to analyze the AVC messages. Two new programs act as a method to start setroubleshoot
when needed:
sedispatch
utility runs as a part of the audit
subsystem. When an AVC denial message is returned, sedispatch
sends a message using dbus
. These messages go straight to setroubleshootd
if it is already running. If it is not running, sedispatch
starts it automatically.
seapplet
utility runs in the system toolbar, waiting for dbus messages in setroubleshootd
. It launches the notification bubble, allowing the user to review AVC messages.
Procedure 10.7. Starting Daemons Automatically
auditd
and rsyslogd
daemons to automatically start at boot, run the following commands as the root user:
~]#
chkconfig --levels 2345 auditd on
~]#
chkconfig --levels 2345 rsyslog on
systemctl status service-name.service
command to check if these services are running, for example:
~]#
systemctl status auditd.service
auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) Active: active (running) since Thu 2013-08-15 09:10:37 CEST; 23min ago
Active: inactive (dead)
), use the systemctl start service-name.service
command as root to start them. For example:
~]#
systemctl start auditd.service