audit2why

Explain the most recent SELinux denial

$ sudo audit2why

$ sudo audit2why -i [path/to/audit.log]

$ sudo ausearch -m avc | audit2why

$ sudo ausearch -m avc -c [service_name] | audit2why

audit2why [options] < input

audit2why translates SELinux denial messages from audit logs into human-readable explanations. It identifies the cause of each denial and often suggests solutions such as boolean toggles, policy modules, or file context corrections.
The tool reads audit events from standard input or a specified file. It is typically used in conjunction with ausearch to filter and analyze specific types of denials.

-i, --input file

Read audit events from the specified file instead of stdin

Show the reason for the denial (default behavior)

Use an alternate policy file

Requires root privileges to read audit logs. The tool only explains denials; it does not automatically fix them. Suggested booleans should be reviewed before enabling as they may have security implications. Part of the policycoreutils-python-utils package.

audit2allow(1), ausearch(8), sealert(8), semanage(8)