Rocky_Linux_8
Sponsored Link

SELinux : Search Logs2021/07/22

 
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called [AVC Denials].
AVC Denial Log is generated via Systemd Journald or Audit Service, so it needs either of service is running.
If Rsyslog Service is running (enabled by default), logs are also put on [/var/log/messages].
[1] When Audit service is disabled and Systemd Journald or Rsyslog service is enabled, AVC Denial Logs are recorded to Journald or [/var/log/messages].
[root@dlp ~]#
journalctl -t setroubleshoot

-- Logs begin at Thu 2021-07-22 10:40:28 JST, end at Thu 2021-07-22 11:19:37 JS>
Jul 22 10:44:20 dlp.srv.world setroubleshoot[1451]: AnalyzeThread.run(): Cancel>
Jul 22 10:44:20 dlp.srv.world setroubleshoot[1451]: failed to retrieve rpm info>
Jul 22 10:44:22 dlp.srv.world setroubleshoot[1451]: SELinux is preventing /usr/>
Jul 22 10:44:22 dlp.srv.world setroubleshoot[1451]: SELinux is preventing /usr/>
.....
.....

[root@dlp ~]#
grep "avc: .denied" /var/log/messages

Jul 22 11:27:28 dlp kernel: audit: type=1400 audit(1626920848.972:131): avc:  denied  { name_bind } for  pid=26588 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Jul 22 11:27:28 dlp kernel: audit: type=1400 audit(1626920848.972:132): avc:  denied  { name_bind } for  pid=26588 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Jul 22 11:27:34 dlp kernel: audit: type=1400 audit(1626920854.529:134): avc:  denied  { name_bind } for  pid=26594 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[2] When Audit service is enabled, AVC Denial Logs are recorded to [/var/log/audit/audit.log].
[root@dlp ~]#
grep "avc: .denied" /var/log/audit/audit.log

type=AVC msg=audit(1626918259.673:75): avc:  denied  { getattr } for  pid=1108 comm="login" name="/" dev="tmpfs" ino=11496 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
type=AVC msg=audit(1626920524.761:125): avc:  denied  { name_bind } for  pid=26512 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1626920524.761:126): avc:  denied  { name_bind } for  pid=26512 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[3] For Messages via Auditd, it's possible to search them with [ausearch] command.
[root@dlp ~]#
ausearch -m AVC

time->Thu Jul 22 11:22:04 2021
type=PROCTITLE msg=audit(1626920524.761:125): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1626920524.761:125): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=5596a6f5a980 a2=1c a3=7ffdf1fac3dc items=0 ppid=1 pid=26512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1626920524.761:125): avc:  denied  { name_bind } for  pid=26512 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Thu Jul 22 11:22:04 2021
type=PROCTITLE msg=audit(1626920524.761:126): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1626920524.761:126): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=5596a6f5a8c0 a2=10 a3=7ffdf1fac3cc items=0 ppid=1 pid=26512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1626920524.761:126): avc:  denied  { name_bind } for  pid=26512 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[4] For Messages via Auditd, it's possible to show summary reports with [aureport] command.
[root@dlp ~]#
aureport --avc


AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 07/16/2021 09:18:04 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 85
2. 07/16/2021 14:20:22 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 76
3. 07/22/2021 10:39:36 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 79
4. 07/22/2021 10:44:19 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 75
5. 07/22/2021 11:15:01 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 116
6. 07/22/2021 11:18:31 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 119
7. 07/22/2021 11:22:04 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 125
8. 07/22/2021 11:22:04 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 126
Matched Content