This repository was archived by the owner on Dec 9, 2022. It is now read-only.
Description With improvements in the audit 2.7.x releases it would be nice to show normalized SELinux events in sealert
ausearch -i -m avc -ts today
type=PROCTITLE msg=audit(08/09/2017 03:17:07.004:8617) : proctitle=/usr/sbin/chronyd
type=SYSCALL msg=audit(08/09/2017 03:17:07.004:8617) : arch=x86_64 syscall=sendto success=yes exit=32 a0=0x5 a1=0x7ffde67bbef0 a2=0x20 a3=0x0 items=0 ppid=1 pid=19670 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(08/09/2017 03:17:07.004:8617) : avc: denied { sendto } for pid=19670 comm=chronyd path=/run/chrony/chronyc.10946.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
ausearch -m avc -ts today --format text
At 03:17:07 08/09/2017 system, acting as chrony, successfully violated-mac-policy using /usr/sbin/chronyd
And an example SELinux Alert Browser would show
chrony successfully violated-mac-policy using /usr/sbin/chronyd instead of 'SELinux has detected a problem'
Reactions are currently unavailable
With improvements in the audit 2.7.x releases it would be nice to show normalized SELinux events in sealert
ausearch -i -m avc -ts today
type=PROCTITLE msg=audit(08/09/2017 03:17:07.004:8617) : proctitle=/usr/sbin/chronyd
type=SYSCALL msg=audit(08/09/2017 03:17:07.004:8617) : arch=x86_64 syscall=sendto success=yes exit=32 a0=0x5 a1=0x7ffde67bbef0 a2=0x20 a3=0x0 items=0 ppid=1 pid=19670 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(08/09/2017 03:17:07.004:8617) : avc: denied { sendto } for pid=19670 comm=chronyd path=/run/chrony/chronyc.10946.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
ausearch -m avc -ts today --format text
At 03:17:07 08/09/2017 system, acting as chrony, successfully violated-mac-policy using /usr/sbin/chronyd
And an example SELinux Alert Browser would show
chrony successfully violated-mac-policy using /usr/sbin/chronyd instead of 'SELinux has detected a problem'