audit2why(8)

1AUDIT2WHY(8)                          NSA                         AUDIT2WHY(8)
2
3
4

NAME

6       audit2why - Translates SELinux audit messages into a description of why
7       the access was denied
8

SYNOPSIS

10       audit2why [options]
11

OPTIONS

13       --help Print a short usage message
14
15       -p <policyfile>
16              Specify an alternate policy file.
17

DESCRIPTION

19       This utility processes SELinux audit messages from standard  input  and
20       and reports which component of the policy caused each permission denial
21       based on the specified policy file if the -p option  was  used  or  the
22       active policy otherwise.  There are three possible causes: 1) a missing
23       or disabled TE allow rule, 2) a constraint violation, or 3)  a  missing
24       role  allow  rule.    In the first case, the TE allow rule may exist in
25       the policy but may be disabled due  to  boolean  settings.   See  bool‐
26       eans(8).   If the allow rule is not present at all, it can be generated
27       via audit2allow(1).  In the second case, a  constraint  is  being  vio‐
28       lated;  see policy/constraints or policy/mls to identify the particular
29       constraint.  Typically, this can be resolved by adding a type attribute
30       to  the domain.  In the third case, a role transition was attempted but
31       no allow rule existed for the role  pair.   This  can  be  resolved  by
32       adding an allow rule for the role pair to the policy.
33

EXAMPLE

35       $ /usr/sbin/audit2why < /var/log/audit/audit.log
36
37       type=KERNEL msg=audit(1115316408.926:336418): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
38               Was caused by:
39                       Missing or disabled TE allow rule.
40                       Allow rules may exist but be disabled by boolean settings; check boolean settings.
41                       You can see the necessary allow rules by running audit2allow with this audit message as input.
42
43       type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
44               Was caused by:
45                       Constraint violation.
46                       Check policy/constraints.
47                       Typically, you just need to add a type attribute to the domain to satisfy the constraint.
48

AUTHOR

50       This   manual  page  was  written  by  Dan  Walsh  <dwalsh@redhat.com>,
51       audit2why utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
52
53
54
55Security Enhanced Linux            May 2005                       AUDIT2WHY(8)