Analyzing SELINUX_ERR messages

When the SELinux subsystem is asked to perform an invalid SELinux-specific operation, it will log this through the audit subsystem using the SELINUX_ERR message type.

Getting ready

Make sure that the audit subsystem is up and running as we will be using the ausearch application to (re)view audit events:

~# service auditd start

How to do it…

Analyzing SELINUX_ERR messages is done by viewing the entry in the audit logs and understanding the individual fields; this is done by completing the following steps:

Note the current date/time, or reload the SELinux policy, to have a clear point in the audit logs from where to look:
```
~# semodule -R
```
Trigger the behavior in the application.
Ask the audit subsystem to show the last events ...

Get SELinux Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

SELinux Cookbook by Sven Vermeulen

Analyzing SELINUX_ERR messages

Getting ready

How to do it…

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly