SELinux : Search Logs2025/01/02 |
|
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
AVC Denial Log is generated via Systemd Journald or Audit Service, so it needs either of service is running. |
|
| [1] | When Systemd Journald or Rsyslog service is enabled, AVC Denial Logs are recorded to Journald and [/var/log/messages]. |
|
[root@dlp ~]# journalctl -t setroubleshoot Jan 02 13:32:01 dlp.srv.world setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. For complete SELinux messages run: sealert -l b4266c9e-dd94-48ae-8a2b-96f801280e1b Jan 02 13:32:01 dlp.srv.world setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. ..... .....[root@dlp ~]# grep "setroubleshoot" /var/log/messages Jan 2 13:32:00 dlp systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs... Jan 2 13:32:00 dlp systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Jan 2 13:32:01 dlp setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. For complete SELinux messages run: sealert -l b4266c9e-dd94-48ae-8a2b-96f801280e1b Jan 2 13:32:01 dlp setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share.#012#012***** Plugin catchall_boolean (47.5 confidence) suggests ******************#012#012If you want to allow samba to enable home dirs#012Then you must tell SELinux about this by enabling the 'samba_enable_home_dirs' boolean.#012#012Do#012setsebool -P samba_enable_home_dirs 1#012#012***** Plugin catchall_boolean (47.5 confidence) suggests ******************#012#012If you want to allow samba to export all rw#012Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.#012#012Do#012setsebool -P samba_export_all_rw 1#012#012***** Plugin catchall (6.38 confidence) suggests **************************#012#012If you believe that smbd should be allowed write access on the share directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smbd[10.0.0.212' --raw | audit2allow -M my-smbd1000212#012# semodule -X 300 -i my-smbd1000212.pp#012 |
| [2] | When Audit service is enabled, AVC Denial Logs are recorded to [/var/log/audit/audit.log]. |
|
[root@dlp ~]# grep "avc: .denied" /var/log/audit/audit.log
type=AVC msg=audit(1735792319.628:274): avc: denied { write } for pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1735792932.561:371): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1735792957.697:376): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
|
| [3] | For Messages via Auditd, it's possible to search them with [ausearch] command. |
|
[root@dlp ~]# ausearch -m AVC
----
time->Thu Jan 2 13:31:59 2025
type=PROCTITLE msg=audit(1735792319.628:274): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1735792319.628:274): arch=c000003e syscall=258 success=no exit=-13 a0=9 a1=55c4ec628e10 a2=1ff a3=80 items=0 ppid=2392 pid=2398 auid=4294967295 uid=65534 gid=0 euid=65534 suid=0 fsuid=65534 egid=65534 sgid=0 fsgid=65534 tty=(none) ses=4294967295 comm="smbd[10.0.0.212" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1735792319.628:274): avc: denied { write } for pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Thu Jan 2 13:42:12 2025
type=PROCTITLE msg=audit(1735792932.561:371): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1735792932.561:371): arch=c000003e syscall=258 success=no exit=-13 a0=9 a1=55c4ec629310 a2=1ff a3=80 items=0 ppid=2392 pid=2651 auid=4294967295 uid=65534 gid=0 euid=65534 suid=0 fsuid=65534 egid=65534 sgid=0 fsgid=65534 tty=(none) ses=4294967295 comm="smbd[10.0.0.215" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1735792932.561:371): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
|
| [4] | For Messages via Auditd, it's possible to show summary reports with [aureport] command. |
|
[root@dlp ~]# aureport --avc AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 01/02/2025 13:31:59 smbd[10.0.0.212 system_u:system_r:smbd_t:s0 258 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 274 2. 01/02/2025 13:42:12 smbd[10.0.0.215 system_u:system_r:smbd_t:s0 258 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 371 3. 01/02/2025 13:42:37 smbd[10.0.0.215 system_u:system_r:smbd_t:s0 257 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 376 |
| Sponsored Link |
|
|