Hi, audit logs can be found in /var/log/audit/audit.log (or /var/log/messages if the audit daemon is not running). You can access audit messages using "ausearch" tool.
I'm not sure what you mean by violating a macro.
Policy modules define context for files and processes, together with rules specifying allowed access (which process can access what files). Macros in policy files are just a way to specify multiple "allow" rules at once. Access that is not explicitly allowed is denied. To view such denials, run #ausearch -m avc
For more info about AVC messages, please see https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#i...
In order to violate policy, SELinux would have to be either in permissive mode, or disabled (either is strongly discouraged!).
Hope this helps.
Vit Mojzis SELinux Solutions Red Hat, Inc.
----- Original Message ----- From: "Naina Emmanuel" nemmanuel1992@gmail.com To: "Vit Mojzis" vmojzis@redhat.com Sent: Friday, April 22, 2016 11:43:40 AM Subject: Re: SElinux Query
good afternoon! i have a problem dealing with the logs,please tell how can we violate a macro/s (used in a module for example apache) and how to see their logs...
i have a task to monitor logs (violations) as MS project, so please help in this regard
thanks in advance
*Engr. Naina Emmanuel* *Linux Essential Certified (LEPDC)* *Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila*
*Information Security, CS Department, CIIT Islamabad*
On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel nemmanuel1992@gmail.com wrote:
thank you so much, i try this method!
thanks once again for your positive response
*Engr. Naina Emmanuel* *Linux Essential Certified (LEPDC)* *Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila*
*Information Security, CS Department, CIIT Islamabad*
On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis vmojzis@redhat.com wrote:
Hi, depends on the scale.
If you just need to identify policy module of one specific service, try searching for the service name in “# semodule -l” output (modules are usually named after corresponding service).
If that doesn't help (sometimes 1 module contains policy rules for more services), I would go with Lukas's suggestion, which was to download selinux-policy repository from github ( https://github.com/fedora-selinux/selinux-policy) and search for selinux type of the service you are interested in.
Let's say you want policy module of bluetooth daemon. # ps -efZ | grep bluetoothd system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ? 00:00:00 /usr/libexec/bluetooth/bluetoothd Bluetoothd process has label of “bluetooth_t”.
Search for “bluetooth_t” in selinux-policy repository (branch rawhide-contrib) shows that the type was defined in “bluetooth.te”. $ grep -R bluetooth_t bluetooth.te:type bluetooth_t;
If you want to map all running services to their respective policy modules, fastest way would be to search for the type of running process in the file I enclosed to this email (all selinux policy modules in Fedora 23 and types defined in them). Each line contains the following module_nameomain_types:resource_types I won't go into details since obtaining of this mapping is not so straight forward.
Hope this helps.
Vit Mojzis SELinux Solutions Red Hat, Inc.
----- Original Message ----- From: "Lukas Vrabec" lvrabec@redhat.com To: selinux@lists.fedoraproject.org, "Vit Mojzis" vmojzis@redhat.com Sent: Thursday, April 7, 2016 10:20:57 AM Subject: Re: SElinux Query
On 04/06/2016 08:04 PM, Naina Emmanuel wrote:
Thanks for the response... Please tell that how can we map the service running to its module? My use case is, ps -efZ will tell which services are running(enforced modules) how can we map that running service to its module( that is applying a policy to that Service?)
Vit Mojzis can help you here.
Thansk in advance
Engr. Naina Emmanuel
On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl@redhat.com mailto:mgrepl@redhat.com> wrote:
On 04/03/2016 10:20 AM, Naina Emmanuel wrote: > Good Afternoon > Can u please help me and tell... > 1) how we can check, which policy modules are actually enforced? means > which services are being secured by selinux. because #semodule -l gives > loaded modules, but which are being secured how can we check
that???*
> * Good point. You can play around $ seinfo -xadomain > 2) If i dont understand any macro, from where i can get its description > or help?* You are looking for $ firefox /usr/share/doc/selinux-policy/html/index.html $ rpm -qf /usr/share/doc/selinux-policy/html/index.html selinux-policy-doc-3.13.1-180.fc25.noarch > * > * > * > * > *thanks in advance > * > * > * > * > * > /Engr. Naina Emmanuel/* > *Linux Essential Certified (LEPDC)** > * > *Cisco Certified Network Associate (CCNA)* > *Computer Engineering Department, UET Taxila > * > *Information Security, CS Department, CIIT Islamabad > * > > > -- > selinux mailing list > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> >
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
> -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux@lists.fedoraproject.org