SELinux : Search Logs2016/07/26 |
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called "AVC Denials", too.
AVC Denial Log is generated via Rsyslog Service or
Audit Service, so it needs either of service is running.
|
|
[1] | Messages via Rsyslog are generated with "kern" facility. CentOS default Rsyslog setting is written as "*.info;xxx /var/log/messages", so AVC Denial Log is recorded to /var/log/messages. (for the case Auditd is not running) |
[root@dlp ~]# grep "avc: .denied" /var/log/messages Apr 2 13:20:06 www kernel: type=1400 audit(1459743606.523:6): avc: denied { read } for pid=1298 comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file Apr 2 13:22:13 www kernel: type=1400 audit(1459743733.690:4): avc: denied { read } for pid=891 comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file |
[2] | Messages via Auditd are generated to /var/log/audit/audit.log. |
[root@dlp ~]# grep "avc: .denied" /var/log/audit/audit.log type=AVC msg=audit(1459146274.923:133): avc: denied { create } for pid=8173 comm="smbd" name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1459146274.924:134): avc: denied { create } for pid=8173 comm="smbd" name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1459217340.695:63): avc: denied { name_bind } for pid=1320 comm="httpd" src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1459217340.696:64): avc: denied { name_bind } for pid=1320 comm="httpd" src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket |
[3] | For Messages via Auditd, it's possible to search them with ausearch command. |
[root@dlp ~]# ausearch -m AVC ---- time->Mon Mar 28 14:59:30 2016 type=SYSCALL msg=audit(1459144770.995:64): arch=c000003e syscall=83 success=no exit=-13 a0=7fac66386bb0 a1=1ff a2=1ff a3=7fac66388888 items=0 ppid=8142 pid=8173 auid=4294967295 uid=99 gid=0 euid=99 suid=0 fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1459144770.995:64): avc: denied { create } for pid=8173 comm="smbd" name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir ---- time->Mon Apr 4 11:27:08 2016 type=SYSCALL msg=audit(1459736828.877:69): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7efddf9b8cf8 a2=10 a3=7ffceb56695c items=0 ppid=1 pid=1407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 gid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1459736828.877:69): avc: denied { name_bind } for pid=1407 comm="httpd" src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket ---- time->Mon Apr 4 11:27:08 2016 type=SYSCALL msg=audit(1459736828.877:68): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7efddf9b8db8 a2=1c a3=7ffceb566710 items=0 ppid=1 pid=1407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1459736828.877:68): avc: denied { name_bind } for pid=1407 comm="httpd" src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket |
[4] | For Messages via Auditd, it's possible to show summary reports with aureport command. |
[root@dlp ~]# aureport --avc AVC Report ======================================================== # date time comm subj syscall class permission obj event ======================================================== 1. 08/08/2015 02:13:50 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 347 2. 03/28/2016 13:51:10 ? system_u:system_r:kernel_t:s0 0 (null) (null) (null) unset 9 3. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 64 4. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 65 5. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 66 ..... ..... 64. 04/04/2016 11:27:03 httpd system_u:system_r:httpd_t:s0 42 tcp_socket name_connect system_u:object_r:reserved_... 65. 04/04/2016 11:27:08 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_por... 66. 04/04/2016 11:27:08 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_por...[root@dlp ~]# aureport --avc --summary Avc Object Summary Report ================================= total obj ================================= 32 unconfined_u:object_r:home_root_t:s0 20 system_u:object_r:user_home_dir_t:s0 5 system_u:object_r:reserved_port_t:s0 |
Sponsored Link |