Product SiteDocumentation Site

10.3.5. Searching For and Viewing Denials

This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the auditd, rsyslogd, and setroubleshootd daemons are running. See Section 4.2, “Which Log File is Used” for information about starting these daemons. A number of utilites are available for searching for and viewing SELinux AVC messages, such as ausearch, aureport, and sealert.

ausearch

The audit package provides the ausearch utility that can query the audit daemon logs based for events based on different search criteria.[12] The ausearch utility accesses /var/log/audit/audit.log, and as such, must be run as the root user:
Searching ForCommand
all denialsausearch -m avc
denials for that todayausearch -m avc -ts today
denials from the last 10 minutesausearch -m avc -ts recent
To search for SELinux AVC messages for a particular service, use the -c comm-name option, where comm-name is the executable’s name, for example, httpd for the Apache HTTP Server, and smbd for Samba:
~]# ausearch -m avc -c httpd
~]# ausearch -m avc -c smbd
With each ausearch command, it is advised to use either the --interpret (-i) option for easier readability, or the --raw (-r) option for script processing. See the ausearch(8) manual page for further ausearch options.

aureport

The audit package provides the aureport utility, which produces summary reports of the audit system logs. [13] The aureport utility accesses /var/log/audit/audit.log, and as such, must be run as the root user. To view a list of SELinux denial messages and how often each one occurred, run the aureport -a command. The following is example output that includes two denials:
~]# aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4

sealert

The setroubleshoot-server package provides the sealert utility, which reads denial messages translated by setroubleshoot-server.[14] Denials are assigned IDs, as seen in /var/log/messages. The following is an example denial from messages:
setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket. For complete SELinux messages. run sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7
In this example, the denial ID is 8c123656-5dda-4e5d-8791-9e3bd03786b7. The -l option takes an ID as an argument. Running the sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7 command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access.
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd, dbus and auditd daemons are running, a warning is displayed when access is denied by SELinux:
An AVC denial message
Clicking on Show launches the sealert GUI, which allows you to troubleshoot the problem:
Alternatively, run the sealert -b command to launch the sealert GUI. To view a detailed analysis of all denial messages, run the sealert -l \* command.


[12] See the ausearch(8) manual page for further information about ausearch.
[13] See the aureport(8) manual page for further information about aureport.
[14] See the sealert(8) manual page for further information about sealert.