Product SiteDocumentation Site

7.3.5. Búsqueda y Revisión de Negaciones

This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the auditd, rsyslogd, and setroubleshootd daemons are running. Refer to Sección 5.2, “Qué Archivo Log se usa” for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as ausearch, aureport, and sealert.
ausearch
The audit package provides ausearch. From the ausearch(8) manual page: "ausearch is a tool that can query the audit daemon logs based for events based on different search criteria"[15]. The ausearch tool accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user:
BuscandoComando
todas las negaciones/sbin/ausearch -m avc
negaciones de hoy/sbin/ausearch -m avc -ts today
negaciones desde los últimos 10 minutos/sbin/ausearch -m avc -ts recent
To search for SELinux denials for a particular service, use the -c comm-name option, where comm-name "is the executable’s name"[16], for example, httpd for the Apache HTTP Server, and smbd for Samba:
/sbin/ausearch -m avc -c httpd
/sbin/ausearch -m avc -c smbd
Refer to the ausearch(8) manual page for further ausearch options.
aureport
The audit package provides aureport. From the aureport(8) manual page: "aureport is a tool that produces summary reports of the audit system logs"[17]. The aureport tool accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the aureport -a command. The following is example output that includes two denials:
# /sbin/aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 05/01/2009 21:41:39 httpd unconfined_u:system_r:httpd_t:s0 195 file getattr system_u:object_r:samba_share_t:s0 denied 2
2. 05/03/2009 22:00:25 vsftpd unconfined_u:system_r:ftpd_t:s0 5 file read unconfined_u:object_r:cifs_t:s0 denied 4

Refer to the aureport(8) manual page for further aureport options.
sealert
El paquete setroubleshoot-server provee sealert, que lee los mensajes de negación traducidos por setroubleshoot-server. A las negaciones se le asignan IDs, como se ve en /var/log/messages. El siguiente es un ejemplo de negación en messages:
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020

En este ejemplo, el ID de negación es 84e0b04d-d0ad-4347-8317-22e74f6cd020. La opción -l toma un ID como argumento. Ejecutando el comando sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020 le presenta un análisis detallado de por qué SELinux negó el acceso, y una posible solución para permitir el acceso.
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd, dbus and auditd daemons are running, a warning is displayed when access is denied by SELinux. Clicking on 'Show' launches the sealert GUI, and displays denials in HTML output:
Refer to the sealert(8) manual page for further sealert options.


[15] From the ausearch(8) manual page, as shipped with the audit package in Fedora 13.

[16] From the ausearch(8) manual page, as shipped with the audit package in Fedora 13.

[17] From the aureport(8) manual page, as shipped with the audit package in Fedora 13.