Analyzing SELINUX_ERR messages
When the SELinux subsystem is asked to perform an invalid SELinux-specific operation, it will log this through the audit subsystem using the SELINUX_ERR message type.
Getting ready
Make sure that the audit subsystem is up and running as we will be using the ausearch application to (re)view audit events:
~# service auditd start
How to do it…
Analyzing SELINUX_ERR messages is done by viewing the entry in the audit logs and understanding the individual fields; this is done by completing the following steps:
Note the current date/time, or reload the SELinux policy, to have a clear point in the audit logs from where to look:
~# semodule -RTrigger the behavior in the application.
Ask the audit subsystem to show the last events of the
SELINUX_ERRandMAC_POLICY_LOADtypes:~# ausearch -m SELINUX_ERR,MAC_POLICY_LOAD -ts recentLook at the beginning of the message to find out what problematic situation SELinux is informing us about.
How it works…
The SELinux subsystem will...
