Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   8420 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

AUDIT2WHY(8)			      NSA			  AUDIT2WHY(8)

NAME
       audit2why - Translates SELinux audit messages into a description of why
       the access was denied

SYNOPSIS
       audit2why [options]

OPTIONS
       --help Print a short usage message

       -p <policyfile>
	      Specify an alternate policy file.

DESCRIPTION
       This utility processes SELinux audit messages from standard  input  and
       and reports which component of the policy caused each permission denial
       based on the specified policy file if the -p option  was	 used  or  the
       active policy otherwise.	 There are three possible causes: 1) a missing
       or disabled TE allow rule, 2) a constraint violation, or 3)  a  missing
       role  allow  rule.    In the first case, the TE allow rule may exist in
       the policy but may be disabled due  to  boolean	settings.   See	 bool‐
       eans(8).	  If the allow rule is not present at all, it can be generated
       via audit2allow(1).  In the second case, a  constraint  is  being  vio‐
       lated;  see policy/constraints or policy/mls to identify the particular
       constraint.  Typically, this can be resolved by adding a type attribute
       to  the domain.	In the third case, a role transition was attempted but
       no allow rule existed for the role  pair.   This	 can  be  resolved  by
       adding an allow rule for the role pair to the policy.

EXAMPLE
       $ /usr/sbin/audit2why < /var/log/audit/audit.log

       type=KERNEL msg=audit(1115316408.926:336418): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
	       Was caused by:
		       Missing or disabled TE allow rule.
		       Allow rules may exist but be disabled by boolean settings; check boolean settings.
		       You can see the necessary allow rules by running audit2allow with this audit message as input.

       type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
	       Was caused by:
		       Constraint violation.
		       Check policy/constraints.
		       Typically, you just need to add a type attribute to the domain to satisfy the constraint.

AUTHOR
       This   manual  page  was	 written  by  Dan  Walsh  <dwalsh@redhat.com>,
       audit2why utility was written by Stephen Smalley <sds@tycho.nsa.gov>.

Security Enhanced Linux		   May 2005			  AUDIT2WHY(8)

Vote for polarhome