1AUDIT2WHY(8) NSA AUDIT2WHY(8)
2
3
4
6 audit2why - Translates SELinux audit messages into a description of why
7 the access was denied
8
10 audit2why [options]
11
13 --help Print a short usage message
14
15 -p <policyfile>
16 Specify an alternate policy file.
17
19 This utility processes SELinux audit messages from standard input and
20 and reports which component of the policy caused each permission denial
21 based on the specified policy file if the -p option was used or the
22 active policy otherwise. There are three possible causes: 1) a missing
23 or disabled TE allow rule, 2) a constraint violation, or 3) a missing
24 role allow rule. In the first case, the TE allow rule may exist in
25 the policy but may be disabled due to boolean settings. See bool‐
26 eans(8). If the allow rule is not present at all, it can be generated
27 via audit2allow(1). In the second case, a constraint is being vio‐
28 lated; see policy/constraints or policy/mls to identify the particular
29 constraint. Typically, this can be resolved by adding a type attribute
30 to the domain. In the third case, a role transition was attempted but
31 no allow rule existed for the role pair. This can be resolved by
32 adding an allow rule for the role pair to the policy.
33
35 $ /usr/sbin/audit2why < /var/log/audit/audit.log
36
37 type=KERNEL msg=audit(1115316408.926:336418): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
38 Was caused by:
39 Missing or disabled TE allow rule.
40 Allow rules may exist but be disabled by boolean settings; check boolean settings.
41 You can see the necessary allow rules by running audit2allow with this audit message as input.
42
43 type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
44 Was caused by:
45 Constraint violation.
46 Check policy/constraints.
47 Typically, you just need to add a type attribute to the domain to satisfy the constraint.
48
50 This manual page was written by Dan Walsh <dwalsh@redhat.com>,
51 audit2why utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
52
53
54
55Security Enhanced Linux May 2005 AUDIT2WHY(8)