audit2why

View documentation for the original command

$ tldr audit2allow

audit2why [OPTION]... [FILE]
audit_log_entry | audit2why

-i, --input FILE
    Reads the AVC denial message from the specified FILE instead of standard input. This is useful when you have saved an AVC log entry to a file.

-h, --help
    Displays a concise help message summarizing command usage and options, then exits.

-v, --version
    Shows the version information of the audit2why command and then exits.

-r, --raw
    Processes the input as a raw AVC denial string, bypassing audit log parsing. Useful when feeding just the AVC= string directly.

audit2why is a crucial utility designed to simplify the often complex Access Vector Cache (AVC) denial messages generated by SELinux. When SELinux blocks an operation due to a policy violation, it logs a detailed AVC denial message in the system's audit logs (e.g., /var/log/audit/audit.log). These messages can be cryptic, containing intricate details about security contexts, object classes, and permissions, making them challenging for administrators to decipher.

audit2why parses these raw AVC denial entries and translates them into human-readable explanations. It attempts to identify the specific policy rule that was violated or is missing, often suggesting practical solutions such as a semanage command to add a missing boolean, port, or file context mapping, or a restorecon command to fix incorrect file contexts. This tool significantly reduces the time and effort required to diagnose and resolve SELinux-related access issues, making SELinux administration more accessible.

• Requires SELinux to be enabled and enforcing on the system for its explanations to be relevant.
• The explanations provided are based on the currently loaded SELinux policy. If the policy is outdated or significantly customized, the suggestions might not be perfectly accurate or exhaustive.
• It may not always provide a definitive solution, especially for highly complex policy interactions or nuanced misconfigurations; sometimes, it highlights the missing rule without a specific semanage command.
• audit2why is a diagnostic tool; it does not implement any fixes itself but rather provides guidance for manual intervention.

Beyond its utility in troubleshooting, audit2why is an invaluable asset during the SELinux policy development lifecycle. Developers crafting new SELinux policies for applications or services can leverage it to quickly identify and understand why specific accesses are being denied. This accelerates the iterative process of writing, testing, and refining policy rules, ensuring that applications run with the least necessary privileges while maintaining system security. It helps pinpoint precisely which access was denied, guiding the creation of targeted and effective policy rules.

audit2why is an integral part of the setools (SELinux Tools) project, a suite of utilities developed to aid in the analysis, modification, and debugging of SELinux policies. It emerged as a response to the growing need for a more user-friendly way to interpret the often cryptic AVC denial messages. Its development aimed to simplify SELinux administration and troubleshooting, making the robust security framework more accessible to system administrators and developers by translating complex low-level kernel denials into actionable insights. Its inclusion in common Linux distributions highlights its importance in the SELinux ecosystem.

auditd(8), ausearch(8), auditctl(8), semanage(8), restorecon(8), chcon(1)