8.3.5. Searching For and Viewing Denials
This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the
auditd
, rsyslogd
, and setroubleshootd
daemons are running. Refer to Section 5.2, “Which Log File is Used” for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as ausearch
, aureport
, and sealert
.
ausearch
The audit package provides the
ausearch
utility. From the ausearch(8) manual page: "ausearch
is a tool that can query the audit daemon logs for events based on different search criteria"[13]. The ausearch
utility accesses /var/log/audit/audit.log
, and as such, must be run as the Linux root user:
Searching For | Command |
---|---|
all denials | ausearch -m avc |
denials for that today | ausearch -m avc -ts today |
denials from the last 10 minutes | ausearch -m avc -ts recent |
To search for SELinux denials for a particular service, use the
-c comm-name
option, where comm-name "is the executable’s name"[14], for example, httpd
for the Apache HTTP Server, and smbd
for Samba:
~]# ausearch -m avc -c httpd
~]# ausearch -m avc -c smbd
With each
ausearch
command, it is advised to use either the --interpret
(-i
) option for easier readability, or the --raw
(-r
) option for script processing. Refer to the ausearch(8) manual page for further ausearch
options.
aureport
The audit package provides the
aureport
utility. From the aureport(8) manual page: "aureport
is a tool that produces summary reports of the audit system logs"[15]. The aureport
utility accesses /var/log/audit/audit.log
, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the aureport -a
command. The following is example output that includes two denials:
~]# aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4
Refer to the aureport(8) manual page for further
aureport
options.
sealert
The setroubleshoot-server package provides the
sealert
utility, which reads denial messages translated by setroubleshoot-server. Denials are assigned IDs, as seen in /var/log/messages
. The following is an example denial from messages
:
setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket. For complete SELinux messages. run sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7
In this example, the denial ID is
8c123656-5dda-4e5d-8791-9e3bd03786b7
. The -l
option takes an ID as an argument. Running the sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7
command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the
setroubleshootd
, dbus
and auditd
daemons are running, a warning is displayed when access is denied by SELinux:
Clicking on
Show
launches the sealert
GUI, which allows you to troubleshoot the problem:
Alternatively, run the
sealert -b
command to launch the sealert
GUI. To view a detailed analysis of all denial messages, run the sealert -l \*
command.
See the sealert(8) manual page for further
sealert
options.
[13]
From the ausearch(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.
[14]
From the ausearch(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.
[15]
From the aureport(8) manual page, as shipped with the audit package in Red Hat Enterprise Linux 6.