Hi, audit logs can be found in /var/log/audit/audit.log (or /var/log/messages if the audit daemon is not running). You can access audit messages using "ausearch" tool. I'm not sure what you mean by violating a macro. Policy modules define context for files and processes, together with rules specifying allowed access (which process can access what files). Macros in policy files are just a way to specify multiple "allow" rules at once. Access that is not explicitly allowed is denied. To view such denials, run #ausearch -m avc For more info about AVC messages, please see https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4626257 In order to violate policy, SELinux would have to be either in permissive mode, or disabled (either is strongly discouraged!). Hope this helps. Vit Mojzis SELinux Solutions Red Hat, Inc. ----- Original Message ----- From: "Naina Emmanuel" <nemmanuel1992@xxxxxxxxx> To: "Vit Mojzis" <vmojzis@xxxxxxxxxx> Sent: Friday, April 22, 2016 11:43:40 AM Subject: Re: SElinux Query good afternoon! i have a problem dealing with the logs,please tell how can we violate a macro/s (used in a module for example apache) and how to see their logs... i have a task to monitor logs (violations) as MS project, so please help in this regard thanks in advance *Engr. Naina Emmanuel* *Linux Essential Certified (LEPDC)* *Cisco Certified Network Associate (CCNA)* *Computer Engineering Department, UET Taxila* *Information Security, CS Department, CIIT Islamabad* On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992@xxxxxxxxx> wrote: > thank you so much, i try this method! > > thanks once again for your positive response > > > > > > > > > > *Engr. Naina Emmanuel* > *Linux Essential Certified (LEPDC)* > *Cisco Certified Network Associate (CCNA)* > > *Computer Engineering Department, UET Taxila* > > *Information Security, CS Department, CIIT Islamabad* > > On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis@xxxxxxxxxx> wrote: > >> Hi, >> depends on the scale. >> >> If you just need to identify policy module of one specific service, try >> searching for the service name in “# semodule -l” output (modules are >> usually named after corresponding service). >> >> If that doesn't help (sometimes 1 module contains policy rules for more >> services), I would go with Lukas's suggestion, which was to download >> selinux-policy repository from github ( >> https://github.com/fedora-selinux/selinux-policy) and search for selinux >> type of the service you are interested in. >> >> Let's say you want policy module of bluetooth daemon. >> # ps -efZ | grep bluetoothd >> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ? >> 00:00:00 /usr/libexec/bluetooth/bluetoothd >> Bluetoothd process has label of “bluetooth_t”. >> >> Search for “bluetooth_t” in selinux-policy repository (branch >> rawhide-contrib) shows that the type was defined in “bluetooth.te”. >> $ grep -R bluetooth_t >> bluetooth.te:type bluetooth_t; >> >> If you want to map all running services to their respective policy >> modules, fastest way would be to search for the type of running process in >> the file I enclosed to this email (all selinux policy modules in Fedora 23 >> and types defined in them). Each line contains the following >> module_nameomain_types:resource_types >> I won't go into details since obtaining of this mapping is not so >> straight forward. >> >> Hope this helps. >> >> Vit Mojzis >> SELinux Solutions >> Red Hat, Inc. >> >> ----- Original Message ----- >> From: "Lukas Vrabec" <lvrabec@xxxxxxxxxx> >> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx, "Vit Mojzis" <vmojzis@xxxxxxxxxx> >> Sent: Thursday, April 7, 2016 10:20:57 AM >> Subject: Re: SElinux Query >> >> On 04/06/2016 08:04 PM, Naina Emmanuel wrote: >> > Thanks for the response... >> > Please tell that how can we map the service running to its module? >> > My use case is, ps -efZ will tell which services are running(enforced >> > modules) how can we map that running service to its module( that is >> > applying a policy to that Service?) >> > >> >> Vit Mojzis can help you here. >> >> > Thansk in advance >> > >> > Engr. Naina Emmanuel >> > >> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl@xxxxxxxxxx >> > <mailto:mgrepl@xxxxxxxxxx>> wrote: >> > >> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote: >> > > Good Afternoon >> > > Can u please help me and tell... >> > > 1) how we can check, which policy modules are actually enforced? >> > means >> > > which services are being secured by selinux. because #semodule -l >> > gives >> > > loaded modules, but which are being secured how can we check >> that???* >> > > * >> > >> > Good point. You can play around >> > >> > $ seinfo -xadomain >> > >> > > 2) If i dont understand any macro, from where i can get its >> > description >> > > or help?* >> > >> > You are looking for >> > >> > $ firefox /usr/share/doc/selinux-policy/html/index.html >> > >> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html >> > selinux-policy-doc-3.13.1-180.fc25.noarch >> > >> > > * >> > > * >> > > * >> > > * >> > > *thanks in advance >> > > * >> > > * >> > > * >> > > * >> > > * >> > > /Engr. Naina Emmanuel/* >> > > *Linux Essential Certified (LEPDC)** >> > > * >> > > *Cisco Certified Network Associate (CCNA)* >> > > *Computer Engineering Department, UET Taxila >> > > * >> > > *Information Security, CS Department, CIIT Islamabad >> > > * >> > > >> > > >> > > -- >> > > selinux mailing list >> > > selinux@xxxxxxxxxxxxxxxxxxxxxxx >> > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >> > > >> > >> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> > > >> > >> > >> > -- >> > Miroslav Grepl >> > Senior Software Engineer, SELinux Solutions >> > Red Hat, Inc. >> > >> > >> > >> > -- >> > selinux mailing list >> > selinux@xxxxxxxxxxxxxxxxxxxxxxx >> > >> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> > >> >> >> -- >> Lukas Vrabec >> SELinux Solutions >> Red Hat, Inc. >> > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
