This repository has been archived by the owner on Dec 9, 2022. It is now read-only.
Show normalized SELinux events #62
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
With improvements in the audit 2.7.x releases it would be nice to show normalized SELinux events in sealert
ausearch -i -m avc -ts today
type=PROCTITLE msg=audit(08/09/2017 03:17:07.004:8617) : proctitle=/usr/sbin/chronyd
type=SYSCALL msg=audit(08/09/2017 03:17:07.004:8617) : arch=x86_64 syscall=sendto success=yes exit=32 a0=0x5 a1=0x7ffde67bbef0 a2=0x20 a3=0x0 items=0 ppid=1 pid=19670 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(08/09/2017 03:17:07.004:8617) : avc: denied { sendto } for pid=19670 comm=chronyd path=/run/chrony/chronyc.10946.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
ausearch -m avc -ts today --format text
At 03:17:07 08/09/2017 system, acting as chrony, successfully violated-mac-policy using /usr/sbin/chronyd
And an example SELinux Alert Browser would show
chrony successfully violated-mac-policy using /usr/sbin/chronyd instead of 'SELinux has detected a problem'
The text was updated successfully, but these errors were encountered: