I have a sneaking suspicion it has something to do with me mucking about with my rsyslog.conf, but I'm not 100% sure about that.
I am running Centos 7, and SELinux has been working A-OK. However, I tried to follow these instructions and SELinux did not deny.
I did the following:
useradd fnord
echo "fnord:user_u:s0-s0:c0.c1023" >> /etc/selinux/targeted/seusers
setsebool user_exec_content off
sudo su - fnord
cp /bin/ls /tmp
/tmp/ls
The /tmp/ls command worked just fine. I tried with and without the -P flag, but it doesn't make any difference.
I'm trying to trigger some SELinux log message, because /var/audit/audit.log is empty no matter what I do. I know that SELinux is enforcing things, because rsyslog is setup to send certain logs to /company/var/log/, but those logs do not get written. If I change SELinux to permissive instead of enforcing they do get written. But nothing writes to /var/audit/audit.log anymore. It definitely used to – I have audit.log.1 and other rolled over files.
I thought initially that it may have been /etc/rsyslog.d/listen.conf, I had changed the contents from $SystemLogSocketName /run/systemd/journal/syslog to $SystemLogSocketName /dev/log but I have since changed it back and restarted rsyslog. And still nothing shows up in audit.log.
How can I discover why this doesn't log right?
Best Answer
As it turns out,
kauditd!=auditd, andauditdis the service that SELinux uses to log with.When
systemctl start auditdfails you can look in/var/log/messages. In my case, I found that/var/log/audit/audit.log(a file I removed andtouched) needs to have0600permissions (I think it said0640was also OK).Doing this:
Re-enabled logging