Skip to content
This repository has been archived by the owner on Dec 9, 2022. It is now read-only.

Show normalized SELinux events #62

Open
ssekidde opened this issue Aug 9, 2017 · 0 comments
Open

Show normalized SELinux events #62

ssekidde opened this issue Aug 9, 2017 · 0 comments

Comments

@ssekidde
Copy link

ssekidde commented Aug 9, 2017

With improvements in the audit 2.7.x releases it would be nice to show normalized SELinux events in sealert

ausearch -i -m avc -ts today


type=PROCTITLE msg=audit(08/09/2017 03:17:07.004:8617) : proctitle=/usr/sbin/chronyd
type=SYSCALL msg=audit(08/09/2017 03:17:07.004:8617) : arch=x86_64 syscall=sendto success=yes exit=32 a0=0x5 a1=0x7ffde67bbef0 a2=0x20 a3=0x0 items=0 ppid=1 pid=19670 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(08/09/2017 03:17:07.004:8617) : avc: denied { sendto } for pid=19670 comm=chronyd path=/run/chrony/chronyc.10946.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

ausearch -m avc -ts today --format text

At 03:17:07 08/09/2017 system, acting as chrony, successfully violated-mac-policy using /usr/sbin/chronyd

And an example SELinux Alert Browser would show

chrony successfully violated-mac-policy using /usr/sbin/chronyd instead of 'SELinux has detected a problem'

selinux alert browser

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant