Re: sealerts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
> On 06/07/2013 11:28 AM, m.roth@xxxxxxxxx wrote:
>> m.roth@xxxxxxxxx wrote:
<snip>
>>> Second - and I thought I knew the answer to this, but guess I don't - I
>>> see AVC's in the log file, but no sealerts - how do I start it up to
>>> give me them in messages? I see auditd is running....
>>>
>> Point of information: CentOS 6.4, up to date.
>>
>> Dan, you say that setroubleshoot should run; I did install
>> setroubleshoot-server and setroubleshoot-plugins, and then restarted
>> auditd, yet I've seen some avc's since then, I think (wish audit.log had
>> timestamps).
>>
> audit log does have time stamps, but you need to translate using ausearch
>
> ausearch -m avc -i
>
> Should translate everything.

It does, and thanks - I had no clue about that.

Now it gets more interesting: using that, the last avc in the audit log is
from yesterday (Thurs) around 09:20 or so. I restarted auditd after that.
Another admin ran fixfiles....
and then, in the logs this morning, our manager noted:
Jun  7 08:09:12 <servername> sshd[6133]: pam_selinux(sshd:session): Unable
to get valid context for root

in messages, and he rebooted and relabelled, and nothing since. What
surprises me is that there was no AVC for that message - in fact, no AVC's
since yesterday morning. Should there have been one?

     mark

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux