http://www.selinuxproject.org/w/?title=NB_AL&action=history&feed=atom NB AL - Revision history 2024-03-28T12:18:15Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=NB_AL&diff=1696&oldid=prev RichardHaines at 14:32, 6 December 2014 2014-12-06T14:32:05Z <p></p> <a href="http://www.selinuxproject.org/w/?title=NB_AL&amp;diff=1696&amp;oldid=952">Show changes</a> RichardHaines http://www.selinuxproject.org/w/?title=NB_AL&diff=952&oldid=prev RichardHaines: /* AVC Audit Events */ 2010-05-16T15:13:49Z <p>‎<span dir="auto"><span class="autocomment">AVC Audit Events</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:13, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 110:</td> <td colspan="2" class="diff-lineno">Line 110:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== AVC Audit Events ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== AVC Audit Events ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Table <del class="diffchange diffchange-inline">4 </del>shows the general format of AVC audit message within the &lt;tt&gt;/var/log/audit/audit.log&lt;/tt&gt; file. These appear when access has been denied or an audit event has been specifically requested.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Table <ins class="diffchange diffchange-inline">1 </ins>shows the general format of AVC audit message within the &lt;tt&gt;/var/log/audit/audit.log&lt;/tt&gt; file. These appear when access has been denied or an audit event has been specifically requested.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{| border=&quot;1&quot;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{| border=&quot;1&quot;</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 132:</td> <td colspan="2" class="diff-lineno">Line 132:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243332701.744:101): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=553ac0 a2=552ff4 a3=bfc5eab0 items=0 &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243332701.744:101): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=553ac0 a2=552ff4 a3=bfc5eab0 items=0 &#160;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>ppid=2671 pid=2714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=&quot;ls&quot; ''exe=&quot;/bin/ls''&quot; subj=system_u:object_r:unlabeled_t:s0 key=(null)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>ppid=2671 pid=2714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=&quot;ls&quot; ''exe=&quot;/bin/ls''&quot;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>subj=system_u:object_r:unlabeled_t:s0 key=(null)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 244:</td> <td colspan="2" class="diff-lineno">Line 245:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">''Table 1: AVC Audit Message Description - The keywords in bold are in all AVC audit messages, the others depend on the type of event being audited.''</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">''Table 4: AVC Audit Message Description - The keywords in bold are in all AVC audit messages, the others depend on the type of event being audited.''</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Example audit.log denied and granted events are shown in the following examples:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Example audit.log denied and granted events are shown in the following examples:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 252:</td> <td colspan="2" class="diff-lineno">Line 253:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># type=AVC calls, but only one corresponding type=SYSCALL entry.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># type=AVC calls, but only one corresponding type=SYSCALL entry.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1242575005.122:101): avc: denied { rename } for pid=2508 comm=&quot;canberra-gtk-pl&quot; name=&quot;c73a516004b572d8c845c74c49b2511d:runtime.tmp&quot; dev=dm-0 ino=188999 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0 tcontext=test_u:object_r:gnome_home_t:s0 tclass=lnk_file</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1242575005.122:101): avc: denied { rename } for pid=2508 comm=&quot;canberra-gtk-pl&quot;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>name=&quot;c73a516004b572d8c845c74c49b2511d:runtime.tmp&quot; dev=dm-0 ino=188999 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>tcontext=test_u:object_r:gnome_home_t:s0 tclass=lnk_file</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1242575005.122:101): avc: denied { unlink } for pid=2508 comm=&quot;canberra-gtk-pl&quot; name=&quot;c73a516004b572d8c845c74c49b2511d:runtime&quot; dev=dm-0 ino=188578 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:gnome_home_t:s0 tclass=lnk_file</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1242575005.122:101): avc: denied { unlink } for pid=2508 comm=&quot;canberra-gtk-pl&quot; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>name=&quot;c73a516004b572d8c845c74c49b2511d:runtime&quot; dev=dm-0 ino=188578 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>tcontext=system_u:object_r:gnome_home_t:s0 tclass=lnk_file</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1242575005.122:101): arch=40000003 syscall=38 success=yes exit=0 a0=82d2760 a1=82d2850 a2=da6660 a3=82cb550 items=0 ppid=2179 pid=2508 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=&quot;canberra-gtk-pl&quot; exe=&quot;/usr/bin/canberra-gtk-play&quot; subj=test_u:staff_r:oddjob_mkhomedir_t:s0 key=(null)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1242575005.122:101): arch=40000003 syscall=38 success=yes exit=0 a0=82d2760 a1=82d2850 a2=da6660 a3=82cb550 items=0</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>ppid=2179 pid=2508 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=&quot;canberra-gtk-pl&quot;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>exe=&quot;/usr/bin/canberra-gtk-play&quot; subj=test_u:staff_r:oddjob_mkhomedir_t:s0 key=(null)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># These are example X-Windows object manager audit message:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># These are example X-Windows object manager audit message:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=USER_AVC msg=audit(1267534171.023:18): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t msg='avc: denied { getfocus } for request=X11:GetInputFocus comm=X-setest xdevice=&quot;Virtual core keyboard&quot; scontext=user_u:unconfined_r:x_select_paste_t tcontext=system_u:unconfined_r:unconfined_t tclass=x_keyboard : exe=&quot;/usr/bin/Xorg&quot; sauid=0 hostname=? addr=? terminal=?'</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=USER_AVC msg=audit(1267534171.023:18): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>msg='avc: denied { getfocus } for request=X11:GetInputFocus comm=X-setest xdevice=&quot;Virtual core keyboard&quot; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>scontext=user_u:unconfined_r:x_select_paste_t tcontext=system_u:unconfined_r:unconfined_t tclass=x_keyboard : exe=&quot;/usr/bin/Xorg&quot; sauid=0</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>hostname=? addr=? terminal=?'</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=USER_AVC msg=audit(1267534395.930:19): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t msg='avc: denied { read } for request=SELinux:SELinuxGetClientContext comm=X-setest resid=3c00001 restype=&lt;unknown&gt; scontext=user_u:unconfined_r:x_select_paste_t tcontext=user_u:unconfined_r:unconfined_t tclass=x_resource : exe=&quot;/usr/bin/Xorg&quot; sauid=0 hostname=? addr=? terminal=?'</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=USER_AVC msg=audit(1267534395.930:19): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>msg='avc: denied { read } for request=SELinux:SELinuxGetClientContext comm=X-setest resid=3c00001 restype=&lt;unknown&gt; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>scontext=user_u:unconfined_r:x_select_paste_t tcontext=user_u:unconfined_r:unconfined_t tclass=x_resource : exe=&quot;/usr/bin/Xorg&quot; sauid=0 &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>hostname=? addr=? terminal=?'</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># This is an example granted audit message:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># This is an example granted audit message:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1239116352.727:311): avc: granted { transition } for pid=7687 comm=&quot;bash&quot; path=&quot;/usr/move_file/move_file_c&quot; dev=dm-0 ino=402139 scontext=user_u:unconfined_r:unconfined_t tcontext=user_u:unconfined_r:move_file_t tclass=process</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=AVC msg=audit(1239116352.727:311): avc: granted { transition } for pid=7687 comm=&quot;bash&quot; path=&quot;/usr/move_file/move_file_c&quot; dev=dm-0 &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>ino=402139 scontext=user_u:unconfined_r:unconfined_t tcontext=user_u:unconfined_r:move_file_t tclass=process</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1239116352.727:311): arch=40000003 syscall=11 success=yes exit=0 a0=8a6ea98 a1=8a56fa8 a2=8a578e8 a3=0 items=0 ppid=2660 pid=7687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=&quot;move_file_c&quot; exe=&quot;/usr/move_file/move_file_c&quot; subj=user_u:unconfined_r:move_file_t key=(null)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1239116352.727:311): arch=40000003 syscall=11 success=yes exit=0 a0=8a6ea98 a1=8a56fa8 a2=8a578e8 a3=0 items=0 &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>ppid=2660 pid=7687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=&quot;move_file_c&quot; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>exe=&quot;/usr/move_file/move_file_c&quot; subj=user_u:unconfined_r:move_file_t key=(null)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> RichardHaines http://www.selinuxproject.org/w/?title=NB_AL&diff=951&oldid=prev RichardHaines: /* SELinux-aware Application Events */ 2010-05-16T15:06:41Z <p>‎<span dir="auto"><span class="autocomment">SELinux-aware Application Events</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:06, 16 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 35:</td> <td colspan="2" class="diff-lineno">Line 35:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243855634.660:30): arch=40000003 syscall=4 success=yes exit=3480819 a0=4 a1=b7c74000 a2=351cf3 a3=bfbd9dc8 items=0</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243855634.660:30): arch=40000003 syscall=4 success=yes exit=3480819 a0=4 a1=b7c74000 a2=351cf3 a3=bfbd9dc8 items=0</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>ppid=2731 pid=2732 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;load_policy&quot; exe=&quot;/usr/sbin/load_policy&quot; subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>ppid=2731 pid=2732 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;load_policy&quot; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>exe=&quot;/usr/sbin/load_policy&quot; subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=USER_ROLE_CHANGE msg=audit(1243855646.618:31): user pid=2731 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=USER_ROLE_CHANGE msg=audit(1243855646.618:31): user pid=2731 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 53:</td> <td colspan="2" class="diff-lineno">Line 54:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243856597.296:32): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf95b554 a2=1 a3=bf95b554 items=0 ppid=2643 &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>type=SYSCALL msg=audit(1243856597.296:32): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf95b554 a2=1 a3=bf95b554 items=0 ppid=2643 &#160;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>pid=2761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;setenforce&quot; exe=&quot;/usr/sbin/setenforce&quot; subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>pid=2761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;setenforce&quot; exe=&quot;/usr/sbin/setenforce&quot; &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> RichardHaines http://www.selinuxproject.org/w/?title=NB_AL&diff=950&oldid=prev RichardHaines: New page: = Audit Logs = For SELinux there are two main types of audit event: # SELinux-aware Application Events - These are generated by the SELinux kernel services and SELinux-aware applications ... 2010-05-16T15:04:33Z <p>New page: = Audit Logs = For SELinux there are two main types of audit event: # SELinux-aware Application Events - These are generated by the SELinux kernel services and SELinux-aware applications ...</p> <p><b>New page</b></p><div>= Audit Logs =<br /> For SELinux there are two main types of audit event:<br /> <br /> # SELinux-aware Application Events - These are generated by the SELinux kernel services and SELinux-aware applications for events such as system errors, initialisation, policy load, changing boolean states, setting of enforcing / permissive mode and relabeling. <br /> # AVC Audit Events - These are generated by the AVC subsystem as the result of access denials, or where specific events have requested an audit message (i.e. where an &lt;tt&gt;auditallow&lt;/tt&gt; rule has been used in the policy). <br /> <br /> The audit and event messages can be stored in one of two places (in F-12 anyway):<br /> <br /> # The system log located at &lt;tt&gt;/var/log/messages&lt;/tt&gt; that contains the syslog boot and runtime events. The AVC messages logged here are those generated by SELinux before the audit daemon has been loaded, as F-12 uses the audit framework (auditd) as standard. However, some SELinux-aware audit messages are logged here as well&lt;ref name=&quot;ftn15&quot;&gt;For example if the iptables are loaded and there are SECMARK security contexts present, BUT the contexts are invalid (i.e. not in the policy), then the event is logged in the &lt;tt&gt;messages&lt;/tt&gt; log and nothing will appear in the audit log.&lt;/ref&gt;. Note that the detailed SELinux kernel boot events are logged in the &lt;tt&gt;/var/log/dmesg&lt;/tt&gt; file.<br /> # The audit log located at &lt;tt&gt;/var/log/audit/audit.log&lt;/tt&gt;. Audit events that take place after the audit daemon has been loaded are in this log file as are some SELinux system messages. The AVC audit messages of interest are those starting with type=AVC and are described below. <br /> <br /> Note that SE-PostgreSQL does not send its AVC events to the standard &lt;tt&gt;audit.log&lt;/tt&gt;, but to its own log file as discussed in the [[NB_SQL | SELinux PostgreSQL Support]] section.<br /> <br /> == SELinux-aware Application Events ==<br /> For SELinux and SELinux-aware applications (excluding the AVC entries that are discussed in the AVC Audit Events section below) the following are possible &lt;tt&gt;type=&lt;/tt&gt; entries within the &lt;tt&gt;audit.log&lt;/tt&gt; file that have been seen:<br /> &lt;pre&gt;<br /> # Example audit.log entries for adding a new SELinux user with:<br /> #<br /> # semanage user -a -R staff_r -P STAFF test_u<br /> #<br /> # Note that the audit messages appear in the following sequence:<br /> # <br /> # 1) That USER_AVC has received a policy reload message. <br /> # 2) A notice that the policy is changing by MAC_POLICY_LOAD.<br /> # Note that this event is followed by another audit message<br /> # with type=SYSCALL with further information. These two <br /> # events are tied by having the same serial_number in the <br /> # msg=audit(time:serial_number) field.<br /> # 3) That semanage carried out a USER_ROLE_CHANGE.<br /> <br /> type=USER_AVC msg=audit(1243855640.568:29): user pid=1543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:<br /> s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) : exe=&quot;?&quot; (sauid=81, hostname=?, addr=?, terminal=?)'<br /> <br /> type=MAC_POLICY_LOAD msg=audit(1243855634.660:30): policy loaded auid=0 ses=1<br /> <br /> type=SYSCALL msg=audit(1243855634.660:30): arch=40000003 syscall=4 success=yes exit=3480819 a0=4 a1=b7c74000 a2=351cf3 a3=bfbd9dc8 items=0<br /> ppid=2731 pid=2732 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;load_policy&quot; exe=&quot;/usr/sbin/load_policy&quot; subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)<br /> <br /> type=USER_ROLE_CHANGE msg=audit(1243855646.618:31): user pid=2731 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:<br /> c0.c1023 msg='op=add SELinux user record acct=&quot;test_u&quot; old-seuser=? old-role=? old-range=? new-seuser=test_u new-role=staff_r new-range=?<br /> exe=/usr/sbin/semanage (hostname=?, addr=?, terminal=pts/0 res=success)'<br /> <br /> # Example audit.log entries for setting enforcing mode by:<br /> #<br /> # setenforce 1<br /> #<br /> # Note that the audit messages appear in the following sequence:<br /> # <br /> type=MAC_STATUS msg=audit(1243856597.296:32): enforcing=1 old_enforcing=0 auid=0 ses=1<br /> <br /> type=USER_AVC msg=audit(1243856597.312:33): user pid=1543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:<br /> s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) : exe=&quot;?&quot; (sauid=81, hostname=?, addr=?, terminal=?)'<br /> <br /> type=SYSCALL msg=audit(1243856597.296:32): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf95b554 a2=1 a3=bf95b554 items=0 ppid=2643 <br /> pid=2761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=&quot;setenforce&quot; exe=&quot;/usr/sbin/setenforce&quot; subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)<br /> &lt;/pre&gt;<br /> <br /> Other entries can appear in the audit.log file, however they are not covered in this Notebook.<br /> <br /> It should be noted that entries placed in the &lt;tt&gt;/var/log/messages&lt;/tt&gt; file before the audit daemon is loaded are in a different format, for example:<br /> &lt;pre&gt;<br /> # This is an example entry of an AVC denial and corresponding <br /> # SYSCALL from the /var/log/messages file that were captured <br /> # before the audit daemon was loaded:<br /> <br /> May 26 12:34:16 localhost kernel: type=1400 audit(1243337656.638:1358): avc: denied { read } for pid=3033 comm=&quot;rsyslogd&quot; path=&quot;/proc/kmsg&quot;<br /> dev=proc ino=4026531848 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file<br /> <br /> May 26 12:34:16 localhost kernel: type=1300 audit(1243337656.638:1358): arch=40000003 syscall=3 success=yes exit=230 a0=7 a1=11f7e0 <br /> a2=fff a3=11f7e0 items=0 ppid=1 pid=3033 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295<br /> comm=&quot;rsyslogd&quot; exe=&quot;/sbin/rsyslogd&quot; subj=system_u:system_r:syslogd_t:s0 key=(null)<br /> &lt;/pre&gt;<br /> <br /> The more detailed SELinux boot time messages are placed in the &lt;tt&gt;/var/log/dmesg&lt;/tt&gt; file where selected SELinux entries are as follows:<br /> &lt;pre&gt;<br /> Security Framework initialized<br /> SELinux: Initializing.<br /> SELinux: Starting in permissive mode<br /> ...<br /> SELinux: Registering netfilter hooks<br /> ....<br /> SELinux: 8192 avtab hash slots, 113530 rules.<br /> SELinux: 8192 avtab hash slots, 113530 rules.<br /> SELinux: 9 users, 11 roles, 2608 types, 122 bools, 1 sens, 1024 cats<br /> SELinux: 73 classes, 113530 rules<br /> SELinux: Completing initialization.<br /> SELinux: Setting up existing superblocks.<br /> SELinux: initialized (dev dm-0, type ext3), uses xattr<br /> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs<br /> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts<br /> SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts<br /> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs<br /> ....<br /> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs<br /> ...<br /> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts<br /> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts<br /> type=1403 audit(1243839417.933:2): policy loaded auid=4294967295 ses=4294967295<br /> ...<br /> ...<br /> SELinux: initialized (dev sda1, type ext3), uses xattr<br /> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs<br /> SELinux: Context user_u:unconfined_r:unconfined_t is not valid (left unmapped).<br /> ...<br /> ...<br /> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts<br /> &lt;/pre&gt;<br /> <br /> == AVC Audit Events ==<br /> Table 4 shows the general format of AVC audit message within the &lt;tt&gt;/var/log/audit/audit.log&lt;/tt&gt; file. These appear when access has been denied or an audit event has been specifically requested.<br /> <br /> {| border=&quot;1&quot;<br /> ! Keyword<br /> ! Description<br /> <br /> |-<br /> | &lt;tt&gt;type&lt;/tt&gt;<br /> | For SELinux AVC events this can be:<br /> <br /> &lt;tt&gt;type=AVC&lt;/tt&gt; - for kernel events<br /> <br /> &lt;tt&gt;type=USER_AVC&lt;/tt&gt; - for user-space object manager events<br /> <br /> Note that once the AVC event has been logged, another event with &lt;tt&gt;type=SYSCALL&lt;/tt&gt; will follow that contains further information regarding the event. <br /> <br /> The AVC event can always be tied to the relevant &lt;tt&gt;SYSCALL&lt;/tt&gt; event as they have the same serial_number in the msg=audit(time:serial_number) field as shown in the following example:<br /> &lt;pre&gt;<br /> type=AVC msg=audit(1243332701.744:101): avc: denied { getattr } for pid=2714 comm=&quot;ls&quot; path=&quot;/usr/lib/locale/locale-archive&quot; <br /> dev=dm-0 ino=353593 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file<br /> <br /> type=SYSCALL msg=audit(1243332701.744:101): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=553ac0 a2=552ff4 a3=bfc5eab0 items=0 <br /> ppid=2671 pid=2714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=&quot;ls&quot; ''exe=&quot;/bin/ls''&quot; subj=system_u:object_r:unlabeled_t:s0 key=(null)<br /> &lt;/pre&gt;<br /> <br /> <br /> <br /> |-<br /> | &lt;tt&gt;msg&lt;/tt&gt;<br /> | This will contain the audit keyword with a reference number (e.g. &lt;tt&gt;msg=audit(1243332701.744:101)&lt;/tt&gt;)<br /> <br /> |-<br /> | &lt;tt&gt;avc&lt;/tt&gt;<br /> | This will be either denied when access has been denied or granted when the &lt;tt&gt;auditallow&lt;/tt&gt; rule has been executed by the AVC system.<br /> <br /> The entries that follow the &lt;tt&gt;avc=&lt;/tt&gt; field depend on what type of event is being audited. Those shown below are generated by the kernel AVC audit function, however the user space AVC audit function will return fields relevant to the application being managed by their Object Manager.<br /> <br /> |-<br /> | &lt;tt&gt;pid&lt;/tt&gt;<br /> | If a task, then log the process id (pid) and the name of the executable file (comm).<br /> <br /> |-<br /> | &lt;tt&gt;comm&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;key&lt;/tt&gt;<br /> | If an IPC event then log the identifier.<br /> <br /> |-<br /> | &lt;tt&gt;capability&lt;/tt&gt;<br /> | If a Capability event then log the identifier.<br /> <br /> |-<br /> | &lt;tt&gt;path&lt;/tt&gt;<br /> | If a File System event then log the relevant information. Note that the name field may not always be present.<br /> <br /> |-<br /> | &lt;tt&gt;name&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;dev&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;ino&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;laddr&lt;/tt&gt;<br /> | If a Socket event then log the Source / Destination addresses and ports for IP4 or IP6 sockets (AF_INET).<br /> <br /> |-<br /> | &lt;tt&gt;lport&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;faddr&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;fport&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;path&lt;/tt&gt;<br /> | If a File Socket event then log the path (AF_UNIX).<br /> <br /> |-<br /> | &lt;tt&gt;saddr&lt;/tt&gt;<br /> | If a Network event then log the Source / Destination addresses and ports with the network interface for IP4 or IP6 networks (AF_INET).<br /> <br /> <br /> <br /> <br /> |-<br /> | &lt;tt&gt;src&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;daddr&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;dest&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;netif&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;sauid&lt;/tt&gt;<br /> | IPSec security association identifiers<br /> <br /> |-<br /> | &lt;tt&gt;hostname&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;addr&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;terminal&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;resid&lt;/tt&gt;<br /> | X-Windows resource ID and type.<br /> <br /> |-<br /> | &lt;tt&gt;restype&lt;/tt&gt;<br /> <br /> |-<br /> | &lt;tt&gt;scontext&lt;/tt&gt;<br /> | The security context of the source or subject.<br /> <br /> |-<br /> | &lt;tt&gt;tcontext&lt;/tt&gt;<br /> | The security context of the target or object.<br /> <br /> |-<br /> | &lt;tt&gt;tclass&lt;/tt&gt;<br /> | The object class of the target or object.<br /> <br /> |}<br /> <br /> ''Table 4: AVC Audit Message Description - The keywords in bold are in all AVC audit messages, the others depend on the type of event being audited.''<br /> <br /> Example audit.log denied and granted events are shown in the following examples:<br /> &lt;pre&gt;<br /> # This is an example denied message note that there are two <br /> # type=AVC calls, but only one corresponding type=SYSCALL entry.<br /> <br /> type=AVC msg=audit(1242575005.122:101): avc: denied { rename } for pid=2508 comm=&quot;canberra-gtk-pl&quot; name=&quot;c73a516004b572d8c845c74c49b2511d:runtime.tmp&quot; dev=dm-0 ino=188999 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0 tcontext=test_u:object_r:gnome_home_t:s0 tclass=lnk_file<br /> <br /> type=AVC msg=audit(1242575005.122:101): avc: denied { unlink } for pid=2508 comm=&quot;canberra-gtk-pl&quot; name=&quot;c73a516004b572d8c845c74c49b2511d:runtime&quot; dev=dm-0 ino=188578 scontext=test_u:staff_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:gnome_home_t:s0 tclass=lnk_file<br /> <br /> type=SYSCALL msg=audit(1242575005.122:101): arch=40000003 syscall=38 success=yes exit=0 a0=82d2760 a1=82d2850 a2=da6660 a3=82cb550 items=0 ppid=2179 pid=2508 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=&quot;canberra-gtk-pl&quot; exe=&quot;/usr/bin/canberra-gtk-play&quot; subj=test_u:staff_r:oddjob_mkhomedir_t:s0 key=(null)<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> # These are example X-Windows object manager audit message:<br /> <br /> type=USER_AVC msg=audit(1267534171.023:18): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t msg='avc: denied { getfocus } for request=X11:GetInputFocus comm=X-setest xdevice=&quot;Virtual core keyboard&quot; scontext=user_u:unconfined_r:x_select_paste_t tcontext=system_u:unconfined_r:unconfined_t tclass=x_keyboard : exe=&quot;/usr/bin/Xorg&quot; sauid=0 hostname=? addr=? terminal=?'<br /> <br /> type=USER_AVC msg=audit(1267534395.930:19): user pid=1169 uid=0 auid=4294967295 ses=4294967295 subj=system_u:unconfined_r:unconfined_t msg='avc: denied { read } for request=SELinux:SELinuxGetClientContext comm=X-setest resid=3c00001 restype=&lt;unknown&gt; scontext=user_u:unconfined_r:x_select_paste_t tcontext=user_u:unconfined_r:unconfined_t tclass=x_resource : exe=&quot;/usr/bin/Xorg&quot; sauid=0 hostname=? addr=? terminal=?'<br /> &lt;/pre&gt;<br /> &lt;pre&gt;<br /> # This is an example granted audit message:<br /> <br /> type=AVC msg=audit(1239116352.727:311): avc: granted { transition } for pid=7687 comm=&quot;bash&quot; path=&quot;/usr/move_file/move_file_c&quot; dev=dm-0 ino=402139 scontext=user_u:unconfined_r:unconfined_t tcontext=user_u:unconfined_r:move_file_t tclass=process<br /> <br /> type=SYSCALL msg=audit(1239116352.727:311): arch=40000003 syscall=11 success=yes exit=0 a0=8a6ea98 a1=8a56fa8 a2=8a578e8 a3=0 items=0 ppid=2660 pid=7687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=&quot;move_file_c&quot; exe=&quot;/usr/move_file/move_file_c&quot; subj=user_u:unconfined_r:move_file_t key=(null)<br /> &lt;/pre&gt;<br /> <br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> RichardHaines