SELinux/Logging

When SELinux denies a particular activity, it will usually log this through the audit subsystem or, if auditing is disabled, through the kernel logging. Usually, because SELinux policy developers can tell the SELinux subsystem not to log a particular denial. But even those settings can be overruled by the system administrator to have SELinux log all denials.

Introduction
SELinux bases its decisions (allow or deny) on policy rules. Whenever a particular activity is performed, its access vectors is taken by SELinux and checked with the access vector cache (AVC). This cache contains the access vectors together with the allow/deny state.

Format of an AVC denial
The following is an example AVC denial:

Example AVC denial

The structure of a denial depends on the denial type itself. The above denial is for file access, the following one is for a capability:

Another AVC denial example

The most important part of the denial is the permission (between ), class (as referenced by the   parameter) and contexts (  for the source context, and   for the target context).

Listing recent AVC denials
To view the recent set of AVC denials through the audit subsystem, use :

The audit logs are usually also readable at but the time stamp displayed in the logs will need to be manually converted in that case (as it is not localized).

Disabling dontaudit statements
It is possible to rebuild the SELinux policy and disable the  statements. These statements are put in the policy by the SELinux policy developers to hide particular denials from the regular audit reporting, as the policy developer believes that the denial is cosmetic and can be ignored.

To rebuild and disable:

To re-enable the  statements, just rebuild the policy again: