LinuxCommandLibrary

audit2why

Interpret why audit rules matched

TLDR

Explain the most recent SELinux denial

$ sudo audit2why
copy

Explain SELinux denials from a specific audit log file
$ sudo audit2why [[-i|--input]] [path/to/audit.log]
copy

Explain all SELinux denials from the audit log
$ sudo ausearch [[-m|--message]] avc | audit2why
copy

Explain denials for a specific service
$ sudo ausearch [[-m|--message]] avc [[-c|--comm]] [service_name] | audit2why
copy

SYNOPSIS

audit2why [-h | --help] [-l | --list-interps] [filename]

PARAMETERS

-h, --help
    Display help message and exit.

-l, --list-interps
    List all available interpretation patterns.

DESCRIPTION

audit2why is a diagnostic tool in the Linux Audit subsystem that interprets audit logs to explain why access was denied by audit rules or SELinux policies. It processes raw audit events, typically AVC (Access Vector Cache) denials, type enforcement violations, or user AVCs, and matches them against predefined interpretation patterns to output human-readable reasons.

Common use cases include troubleshooting SELinux policy issues, such as incorrect file contexts, missing booleans, confined domains, or required policy modules. For example, it might reveal 'file_t is not allowed to write to var_log_t' or suggest enabling a boolean like 'httpd_enable_homedirs'.

The tool reads from standard input (often piped from ausearch) or specified files, applying interpretations loaded from plugins. It helps administrators quickly identify fixes without parsing cryptic raw logs, streamlining security policy tuning and compliance auditing.

CAVEATS

Only explains known denial patterns; reports 'type=UNKNOWN' for unmatched events. Requires auditd running and matching logs; SELinux-focused, less useful for non-AVC audits.

TYPICAL USAGE

ausearch -m AVC -ts recent | audit2why
or
ausearch -m USER_AVC -uid 1000 | audit2why

OUTPUT EXAMPLE

type=SYSCALL msg=audit(...): SELinux is preventing /usr/bin/httpd from write access on the sock_file httpd.sock.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that httpd should be allowed write access... Then you should change the type.

HISTORY

Part of Linux Audit toolsuite developed by Steve Grubb (Red Hat) since ~2005; audit2why added in audit 1.7.5 (2008) to aid SELinux integration and denial analysis.

SEE ALSO

ausearch(8), aureport(8), auditctl(8), auditd(8)

Copied to clipboard