5.2. Which Log File is Used
In Red Hat Enterprise Linux 6, the dbus, setroubleshoot-server and audit packages are installed if packages are not removed from the default package selection.
SELinux denial messages, such as the following, are written to /var/log/audit/audit.log
by default:
type=AVC msg=audit(1223024155.684:49): avc: denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
May 7 18:55:56 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t). For complete SELinux messages. run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d
In Red Hat Enterprise Linux 6, setroubleshootd
no longer constantly runs as a service, however it is still used to analyze the AVC messages. Two new programs act as a method to start setroubleshoot when needed: sedispatch
and seapplet
. sedispatch
runs as part of the audit subsystem, and via dbus
, sends a message when an AVC denial occurs, which will go straight to setroubleshootd
if it is already running, or it will start setroubleshootd
if it is not running. seapplet
is a tool which runs in the system's toolbar, waiting for dbus messages in setroubleshootd
, and will launch the notification bubble, allowing the user to review the denial.
To configure the auditd
and rsyslogd
daemons to automatically start at boot, run the following commands as the Linux root user:
/sbin/chkconfig --levels 2345 auditd on
/sbin/chkconfig --levels 2345 rsyslog on
Use the service service-name
status
command to check if these services are running, for example:
$ /sbin/service auditd status
auditd (pid 1318
) is running...
If the above services are not running (service-name
is stopped
), use the service service-name
start
command as the Linux root user to start them. For example:
# /sbin/service auditd start
Starting auditd: [ OK ]