4.2. Which Log File is Used
In Red Hat Enterprise Linux, the dbus and audit packages are installed by default, unless they are removed from the default package selection. The setroubleshoot-server must be installed using Yum (use the
yum install setroubleshoot-server
command).
If the
auditd
daemon is running, an SELinux denial message, such as the following, is written to /var/log/audit/audit.log
by default:
type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
In addition, a message similar to the one below is written to the
/var/log/message
file:
May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
In Red Hat Enterprise Linux 7,
setroubleshootd
no longer constantly runs as a service. However, it is still used to analyze the AVC messages. Two new programs act as a method to start setroubleshoot
when needed:
- The
sedispatch
utility runs as a part of theaudit
subsystem. When an AVC denial message is returned,sedispatch
sends a message usingdbus
. These messages go straight tosetroubleshootd
if it is already running. If it is not running,sedispatch
starts it automatically. - The
seapplet
utility runs in the system toolbar, waiting for dbus messages insetroubleshootd
. It launches the notification bubble, allowing the user to review AVC messages.
Procedure 4.1. Starting Daemons Automatically
- To configure the
auditd
andrsyslog
daemons to automatically start at boot, enter the following commands as the root user:~]#
systemctl enable auditd.service
~]#
systemctl enable rsyslog.service
- To ensure that the daemons are enabled, type the following commands at the shell prompt:
~]$
systemctl is-enabled auditd
enabled~]$
systemctl is-enabled rsyslog
enabledAlternatively, use thesystemctl status service-name.service
command and search for the keywordenabled
in the command output, for example:~]$
systemctl status auditd.service | grep enabled
auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
To learn more on how the
systemd
daemon manages system services, see the Managing System Services chapter in the System Administrator's Guide.