How do you find SELinux denial messages using ausearch?
ausearch -m AVC -ts recent pulls SELinux denial records out of the audit log; each AVC line tells you the denied action plus the source (process) and target (file) contexts, which together explain exactly what rule was missing.
AVC = Access Vector Cache: SELinux caches its allow/deny decisions, and every denial is written to /var/log/audit/audit.log as an AVC message. Reading one is the core diagnostic skill — denied { getattr } is the action, comm="httpd" the process, scontext=...httpd_t... the process's label, and tcontext=...default_t... the file's label. Seeing httpd_t denied against a file labelled default_t immediately says "this file has the wrong type — relabel it to httpd_sys_content_t."
Search recent AVC denials:
ausearch -m AVC -ts recent
Search all AVC messages:
ausearch -m AVC
Example output:
type=AVC msg=audit(1653601583.801:39077): avc: denied { getattr } for
pid=82479 comm="httpd" path="/custom/index.html" dev="dm-0" ino=571543
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
Key fields in AVC message:
| Field | Meaning |
|---|---|
denied { getattr } |
Denied action |
comm="httpd" |
Process name |
path= |
Target file |
scontext= |
Source (process) context |
tcontext= |
Target (file) context |
Log location: /var/log/audit/audit.log
Go deeper:
ausearch(8) — -m AVC, -ts recent — the flags to pull AVC denials from the audit log.