SELinux Game Learn SELinux By Doing

Searching for Denials with ausearch

The friendly developers that work with SELinux on a daily basis have made a few tools that help you identify SELinux-related issues.

The ausearch utility is no SELinux-specific utility. It is a Linux audit related utility, which parses the audit logs and allows you to query the entries in the logs. One of the advantages that it shows is that it already converts the time stamp into a human readable one.

root #ausearch -m avc --start recent
time->Thu Mar 14 21:15:57 2013
type=AVC msg=audit(1363292157.560:188): avc:  denied  { read } for  pid=29495 comm="Trace"
name="online" dev="sysfs" ino=30 scontext=staff_u:staff_r:googletalk_plugin_t
tcontext=system_u:object_r:sysfs_t tclass=file

The recent start gives the denials from the last 10 minutes. You can also use today for, well, today’s denials.

Tools

ausearch searches logs for errors and can be useful for showing SELinux denials

Try it!

Explore these commands using the tutorial vagrant box. Start the environment using
vagrant up tutorial
vagrant ssh tutorial
If you don't have the command, visit the getting started guide

More Tutorials

After this one, the following tutorials are recommended:

Portions of this page's content are copied from this page for non-commercial, education purposes.