sealerts
m.roth at 5-cent.us
m.roth at 5-cent.us
Fri Jun 7 19:06:03 UTC 2013
Daniel J Walsh wrote:
> On 06/07/2013 11:28 AM, m.roth at 5-cent.us wrote:
>> m.roth at 5-cent.us wrote:
<snip>
>>> Second - and I thought I knew the answer to this, but guess I don't - I
>>> see AVC's in the log file, but no sealerts - how do I start it up to
>>> give me them in messages? I see auditd is running....
>>>
>> Point of information: CentOS 6.4, up to date.
>>
>> Dan, you say that setroubleshoot should run; I did install
>> setroubleshoot-server and setroubleshoot-plugins, and then restarted
>> auditd, yet I've seen some avc's since then, I think (wish audit.log had
>> timestamps).
>>
> audit log does have time stamps, but you need to translate using ausearch
>
> ausearch -m avc -i
>
> Should translate everything.
It does, and thanks - I had no clue about that.
Now it gets more interesting: using that, the last avc in the audit log is
from yesterday (Thurs) around 09:20 or so. I restarted auditd after that.
Another admin ran fixfiles....
and then, in the logs this morning, our manager noted:
Jun 7 08:09:12 <servername> sshd[6133]: pam_selinux(sshd:session): Unable
to get valid context for root
in messages, and he rebooted and relabelled, and nothing since. What
surprises me is that there was no AVC for that message - in fact, no AVC's
since yesterday morning. Should there have been one?
mark
More information about the selinux
mailing list