SELinux logging and auditing
When SELinux is enabled, it will log (almost) every permission check that was denied. When Linux auditing is enabled, these denials are logged by the audit daemon. If not, then the regular system logger will get the denials and store them in the system logs.
Such denial messages are described with the type AVC (Access Vector Cache) as we can see from the following example:
type=AVC msg=audit(1369306885.125:4702304): avc: denied { append } for pid=1787 comm=72733A6D61696E20513A526567 name="oracle_audit.log" dev=dm-18 ino=65 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=fileThe AVC is part of the SELinux security subsystem in the Linux kernel that is responsible for checking and enforcing the SELinux rules. Any permission that needs to be checked is represented as an "access vector" and the cache is then consulted to see if that particular permission has been checked before or not. If it is, then the decision is taken from...
