76

Chapter 6. Tools for Manipulating and Analyzing SELinux

Option

Behavior

 a

,

  all

Show all rules. You must specify one of the rule types in

your search terms:

 a

,

  allow

,

  audit

,

  neverallow

, or

  type

.

 l

,

  lineno

In the search results, specify the line number in

policy.conf

. This option is ignored when you search a

binary policy.

Table 6 1. Options for

sesearch

6.2. Using seaudit for Audit Log Analysis

Troubleshooting policy violations can mean wading through convoluted audit logs. The seaudit ap 

plication is designed to help you read, sort, and query your SELinux audit messages. In addition,

seaudit report

generates formatted reports of SELinux messages from the audit log, useful for

reports such as those generated by

logwatch

. The information you gather helps you in analyzing

problems and creating solutions.

It is necessary to have super user privileges to run seaudit, because it looks into system logs. For this

reason,

/usr/bin/seaudit

is a symlink to consolehelper, as well as a program accessible directly

by root at

/usr/sbin/seaudit

.

You can choose which log and policy file to use when starting the application, for example,

seaudit

 l /path/to/log  p $SELINUX_SRC//policy.conf

. seaudit can use both binary and source

policy files.

Although simpler than the related apol, seaudit has more capabilities than are covered

by this section. This section focuses on how to accomplish basic tasks using seaudit.

For

more

information

about

what

seaudit

is,

read

the

online

documentation

at

/usr/share/doc/setools  version /seaudit_help.txt

, which is also available from the

O

P

Help menu in seaudit.

Figure 6 1 shows seaudit displaying the audit log with several different kinds of messages displayed.

The Other column is where the timestamp and serial number are displayed.