Sample logs of alert types

John Dennis jdennis at redhat.com
Tue Dec 8 15:32:07 UTC 2009 

On 12/08/2009 10:04 AM, Zaina AFOULKI wrote:
> Hello,
>
> We are trying to develop a graphical interface for SELinux alerts...
> We noticed that each log for a specific alert is different from the one of
> other types. For example:
>
> type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc:  denied  { getattr
> } for  pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
> scontext=staff_u:staff_r:staff_sudo_t:s0
> tcontext=root:object_r:sysadm_home_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
> syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
> ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
> subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
>
> Currently we know how the log looks like for the following types:
> DAEMON_START  ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
> LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
> USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
> USER_LOGIN USER_ROLE_CHANGE USER_START
>
> We really need to know the look of each alert in the log file.
> Is there a way we can get a sample of each log type?
> Your help will be greatly appreciated.
>
> Thanks in advance,
>
>

No, there is no such library of every possible AVC message. The problem 
is further compounded by the following issues:

* it depends on the kernel version

* messages are not emitted atomically or sequentially by the audit 
system, by this I mean all the information concerning a given AVC 
arrives as a collection of audit messages which must be reassembled by 
matching the audit ID associated with each message, that constitutes an 
"event" as opposed to individual messages.

* parsing of the audit messages should be done with auparse as there are 
some odd behaviors with certain fields which auparse compensates for, in 
particular string values. The last time I checked, which was over a year 
ago, auparse did not assemble non-sequential messages into events.

setroubleshoot has addressed many of these issues and provides a GUI, 
are you aware of that?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the fedora-selinux-list mailing list