Daniel J Walsh wrote:
On 06/07/2013 11:28 AM, m.roth(a)5-cent.us wrote:
> m.roth(a)5-cent.us wrote:
<snip>
>> Second - and I thought I knew the answer to this, but guess I
don't - I
>> see AVC's in the log file, but no sealerts - how do I start it up to
>> give me them in messages? I see auditd is running....
>>
> Point of information: CentOS 6.4, up to date.
>
> Dan, you say that setroubleshoot should run; I did install
> setroubleshoot-server and setroubleshoot-plugins, and then restarted
> auditd, yet I've seen some avc's since then, I think (wish audit.log had
> timestamps).
>
audit log does have time stamps, but you need to translate using ausearch
ausearch -m avc -i
Should translate everything.
It does, and thanks - I had no clue about that.
Now it gets more interesting: using that, the last avc in the audit log is
from yesterday (Thurs) around 09:20 or so. I restarted auditd after that.
Another admin ran fixfiles....
and then, in the logs this morning, our manager noted:
Jun 7 08:09:12 <servername> sshd[6133]: pam_selinux(sshd:session): Unable
to get valid context for root
in messages, and he rebooted and relabelled, and nothing since. What
surprises me is that there was no AVC for that message - in fact, no AVC's
since yesterday morning. Should there have been one?
mark