Hi,
audit logs can be found in /var/log/audit/audit.log (or /var/log/messages if the audit
daemon is not running).
You can access audit messages using "ausearch" tool.
I'm not sure what you mean by violating a macro.
Policy modules define context for files and processes, together with rules specifying
allowed access (which process can access what files).
Macros in policy files are just a way to specify multiple "allow" rules at
once.
Access that is not explicitly allowed is denied.
To view such denials, run
#ausearch -m avc
For more info about AVC messages, please see
https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.htm...
In order to violate policy, SELinux would have to be either in permissive mode, or
disabled (either is strongly discouraged!).
Hope this helps.
Vit Mojzis
SELinux Solutions
Red Hat, Inc.
----- Original Message -----
From: "Naina Emmanuel" <nemmanuel1992(a)gmail.com>
To: "Vit Mojzis" <vmojzis(a)redhat.com>
Sent: Friday, April 22, 2016 11:43:40 AM
Subject: Re: SElinux Query
good afternoon!
i have a problem dealing with the logs,please tell how can we violate a
macro/s (used in a module for example apache)
and how to see their logs...
i have a task to monitor logs (violations) as MS project, so please help in
this regard
thanks in advance
*Engr. Naina Emmanuel*
*Linux Essential Certified (LEPDC)*
*Cisco Certified Network Associate (CCNA)*
*Computer Engineering Department, UET Taxila*
*Information Security, CS Department, CIIT Islamabad*
On Thu, Apr 7, 2016 at 3:19 PM, Naina Emmanuel <nemmanuel1992(a)gmail.com>
wrote:
> thank you so much, i try this method!
>
> thanks once again for your positive response
>
>
>
>
>
>
>
>
>
> *Engr. Naina Emmanuel*
> *Linux Essential Certified (LEPDC)*
> *Cisco Certified Network Associate (CCNA)*
>
> *Computer Engineering Department, UET Taxila*
>
> *Information Security, CS Department, CIIT Islamabad*
>
> On Thu, Apr 7, 2016 at 2:01 AM, Vit Mojzis <vmojzis(a)redhat.com> wrote:
>
>> Hi,
>> depends on the scale.
>>
>> If you just need to identify policy module of one specific service, try
>> searching for the service name in “# semodule -l” output (modules are
>> usually named after corresponding service).
>>
>> If that doesn't help (sometimes 1 module contains policy rules for more
>> services), I would go with Lukas's suggestion, which was to download
>> selinux-policy repository from github (
>>
https://github.com/fedora-selinux/selinux-policy) and search for selinux
>> type of the service you are interested in.
>>
>> Let's say you want policy module of bluetooth daemon.
>> # ps -efZ | grep bluetoothd
>> system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ?
>> 00:00:00 /usr/libexec/bluetooth/bluetoothd
>> Bluetoothd process has label of “bluetooth_t”.
>>
>> Search for “bluetooth_t” in selinux-policy repository (branch
>> rawhide-contrib) shows that the type was defined in “bluetooth.te”.
>> $ grep -R bluetooth_t
>> bluetooth.te:type bluetooth_t;
>>
>> If you want to map all running services to their respective policy
>> modules, fastest way would be to search for the type of running process in
>> the file I enclosed to this email (all selinux policy modules in Fedora 23
>> and types defined in them). Each line contains the following
>> module_nameomain_types:resource_types
>> I won't go into details since obtaining of this mapping is not so
>> straight forward.
>>
>> Hope this helps.
>>
>> Vit Mojzis
>> SELinux Solutions
>> Red Hat, Inc.
>>
>> ----- Original Message -----
>> From: "Lukas Vrabec" <lvrabec(a)redhat.com>
>> To: selinux(a)lists.fedoraproject.org, "Vit Mojzis"
<vmojzis(a)redhat.com>
>> Sent: Thursday, April 7, 2016 10:20:57 AM
>> Subject: Re: SElinux Query
>>
>> On 04/06/2016 08:04 PM, Naina Emmanuel wrote:
>> > Thanks for the response...
>> > Please tell that how can we map the service running to its module?
>> > My use case is, ps -efZ will tell which services are running(enforced
>> > modules) how can we map that running service to its module( that is
>> > applying a policy to that Service?)
>> >
>>
>> Vit Mojzis can help you here.
>>
>> > Thansk in advance
>> >
>> > Engr. Naina Emmanuel
>> >
>> > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl(a)redhat.com
>> > <mailto:mgrepl@redhat.com>> wrote:
>> >
>> > On 04/03/2016 10:20 AM, Naina Emmanuel wrote:
>> > > Good Afternoon
>> > > Can u please help me and tell...
>> > > 1) how we can check, which policy modules are actually enforced?
>> > means
>> > > which services are being secured by selinux. because #semodule -l
>> > gives
>> > > loaded modules, but which are being secured how can we check
>> that???*
>> > > *
>> >
>> > Good point. You can play around
>> >
>> > $ seinfo -xadomain
>> >
>> > > 2) If i dont understand any macro, from where i can get its
>> > description
>> > > or help?*
>> >
>> > You are looking for
>> >
>> > $ firefox /usr/share/doc/selinux-policy/html/index.html
>> >
>> > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html
>> > selinux-policy-doc-3.13.1-180.fc25.noarch
>> >
>> > > *
>> > > *
>> > > *
>> > > *
>> > > *thanks in advance
>> > > *
>> > > *
>> > > *
>> > > *
>> > > *
>> > > /Engr. Naina Emmanuel/*
>> > > *Linux Essential Certified (LEPDC)**
>> > > *
>> > > *Cisco Certified Network Associate (CCNA)*
>> > > *Computer Engineering Department, UET Taxila
>> > > *
>> > > *Information Security, CS Department, CIIT Islamabad
>> > > *
>> > >
>> > >
>> > > --
>> > > selinux mailing list
>> > > selinux(a)lists.fedoraproject.org
>> > <mailto:selinux@lists.fedoraproject.org>
>> > >
>> >
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>> > >
>> >
>> >
>> > --
>> > Miroslav Grepl
>> > Senior Software Engineer, SELinux Solutions
>> > Red Hat, Inc.
>> >
>> >
>> >
>> > --
>> > selinux mailing list
>> > selinux(a)lists.fedoraproject.org
>> >
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>> >
>>
>>
>> --
>> Lukas Vrabec
>> SELinux Solutions
>> Red Hat, Inc.
>>
>
>