SELinux Log files

If the Linux Auditing System (the auditd daemon) is running, SELinux denials are logged into the audit log file. The default audit log file is /var/log/audit/audit.log. In a situation where the auditd daemon is not running, AVC denials are logged in /var/log/messages.


In my opinion, it is prudent to enable the audit daemon and maintain a separate log file. The audit RPM should be installed by default on most Red Hat Enterprise systems.

If not installed, do so. In my system running RHEL 5, the RPM is audit-1.3.1-1.el5.
Also, do ensure that the auditd daemon is enabled to start at boot time. You can do that by issuing the following command:

[root@vbg ~]# chkconfig auditd on
To ensure that the auditd daemon has been enabled at start-up, issue the following command:

[root@vbg ~]# chkconfig --list auditd
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
As you can see, auditd will be executed whenever my system boots in run levels 3 or 5.

Once auditd is running, SELinux logs are written to the audit log file (generally /var/log/audit/audit.log).

A typical snippet of an AVC denial message, apart from the time stamp in my log file, is given below:

avc: denied { read } for pid=3579 comm="httpd" name="index.html" dev=hda3 ino=33001 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

Let us look at the log and decipher its meaning:

avc : [result of SELinux rules] { access type } for pid="subject - Process Id Number" comm="subject - program command" name="object - name" dev="object - device" ino="object - inode number" scontext="subject - Security Context of Source" tcontext="object - Security Context of Target" tclass=" object - Class Type of target"

The above error can be interpreted by classifying the subject, object details and understanding the operation that the subject was performing on the object.

1. Subject details in the log file:
o Subject Command = httpd
o Subject PID = 3579
o Subject Security Context = user_u:system_r:httpd_t:s0

2. Object details in the log file:
o Object Name = index.html
o Object Class = file
o Object Partition = hda3
o Object Inode Number = 33001
o Object Security Context = system_u:object_r:tmp_t:s0

3. Access details in the log file: Operation being Performed by Subject{ described in 1) above } on Object{ described in 2) above } = read

4. Result: Result of the Operation{ described in 3) above } = denied
The above can also be viewed in an easy-to-understand GUI. To be able to view the log file in GUI mode, install the setools-gui package.
Once installed, you can view your log file by executing the seaudit command. A GUI window shall open, which is similar to Figure 1.

Figure 1: The seaudit tool

In the file menu, select Open Log and then select /var/log/audit/audit.log.

Once you open the log file, you can see the details of error logs generated graphically, sorted in various columns. You can right click on the message of your choice and look at the original log message.