CentOS 7
Ads

SELinux : Search Logs
2016/04/03
 
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files. Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called "AVC Denials", too.
AVC Denial Log is generated via Rsyslog Service or Audit Service, so it needs either of service is running.
[1] Messages via Rsyslog are generated with "kern" facility. CentOS default Rsyslog setting is written as "*.info;xxx /var/log/messages", so AVC Denial Log is recorded to /var/log/messages.
[root@dlp ~]#
grep "avc: .denied" /var/log/messages

Apr  2 13:20:06 www kernel: type=1400 audit(1459743606.523:6): avc:  denied  { read } for  pid=1298 
     comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 
     tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Apr  2 13:22:13 www kernel: type=1400 audit(1459743733.690:4): avc:  denied  { read } for  pid=891 
     comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 
     tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
[2] Messages via Auditd are generated to /var/log/audit/audit.log.
[root@dlp ~]#
grep "avc: .denied" /var/log/audit/audit.log

type=AVC msg=audit(1459146274.923:133): avc:  denied  { create } for  pid=8173 comm="smbd" 
     name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC scontext=system_u:system_r:smbd_t:s0 
     tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1459146274.924:134): avc:  denied  { create } for  pid=8173 comm="smbd" 
     name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC scontext=system_u:system_r:smbd_t:s0 
     tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1459217340.695:63): avc:  denied  { name_bind } for  pid=1320 comm="httpd" 
     src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1459217340.696:64): avc:  denied  { name_bind } for  pid=1320 comm="httpd" 
     src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
[3] For Messages via Auditd, it's possible to search them with ausearch command.
[root@dlp ~]#
ausearch -m AVC

----
time->Mon Mar 28 14:59:30 2016
type=SYSCALL msg=audit(1459144770.995:64): arch=c000003e syscall=83 success=no exit=-13 a0=7fac66386bb0 
     a1=1ff a2=1ff a3=7fac66388888 items=0 ppid=8142 pid=8173 auid=4294967295 uid=99 gid=0 euid=99 suid=0 
     fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" 
     subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1459144770.995:64): 
     avc:  denied  { create } for  pid=8173 comm="smbd" name=E696B0E38197E38184E38395E382A9E383ABE38380E383BC 
     scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
----
time->Mon Apr  4 11:27:08 2016
type=SYSCALL msg=audit(1459736828.877:69): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7efddf9b8cf8 
     a2=10 a3=7ffceb56695c items=0 ppid=1 pid=1407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
     gid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 
     key=(null) type=AVC msg=audit(1459736828.877:69): avc:  denied  { name_bind } for  pid=1407 comm="httpd" 
     src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
----
time->Mon Apr  4 11:27:08 2016
type=SYSCALL msg=audit(1459736828.877:68): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7efddf9b8db8 
     a2=1c a3=7ffceb566710 items=0 ppid=1 pid=1407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
     sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 
     key=(null) type=AVC msg=audit(1459736828.877:68): avc:  denied  { name_bind } for  pid=1407 comm="httpd" 
     src=82 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
[4] For Messages via Auditd, it's possible to show summary reports with aureport command.
[root@dlp ~]#
aureport --avc


AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 08/08/2015 02:13:50 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 347
2. 03/28/2016 13:51:10 ? system_u:system_r:kernel_t:s0 0 (null) (null) (null) unset 9
3. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 64
4. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 65
5. 03/28/2016 14:59:30 smbd system_u:system_r:smbd_t:s0 83 dir create system_u:object_r:user_home_dir_t:s0 denied 66
.....
.....
64. 04/04/2016 11:27:03 httpd system_u:system_r:httpd_t:s0 42 tcp_socket name_connect system_u:object_r:reserved_...
65. 04/04/2016 11:27:08 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_por...
66. 04/04/2016 11:27:08 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_por...

[root@dlp ~]#
aureport --avc --summary

Avc Object Summary Report
=================================
total  obj
=================================
32  unconfined_u:object_r:home_root_t:s0
20  system_u:object_r:user_home_dir_t:s0
5  system_u:object_r:reserved_port_t:s0
 
Tweet