LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you find SELinux denial messages using ausearch?

ausearch -m AVC -ts recent pulls SELinux denial records out of the audit log; each AVC line tells you the denied action plus the source (process) and target (file) contexts, which together explain exactly what rule was missing.

AVC = Access Vector Cache: SELinux caches its allow/deny decisions, and every denial is written to /var/log/audit/audit.log as an AVC message. Reading one is the core diagnostic skill — denied { getattr } is the action, comm="httpd" the process, scontext=...httpd_t... the process's label, and tcontext=...default_t... the file's label. Seeing httpd_t denied against a file labelled default_t immediately says "this file has the wrong type — relabel it to httpd_sys_content_t."

Search recent AVC denials:

ausearch -m AVC -ts recent

Search all AVC messages:

ausearch -m AVC

Example output:

type=AVC msg=audit(1653601583.801:39077): avc: denied { getattr } for
pid=82479 comm="httpd" path="/custom/index.html" dev="dm-0" ino=571543
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0

Key fields in AVC message:

Field Meaning
denied { getattr } Denied action
comm="httpd" Process name
path= Target file
scontext= Source (process) context
tcontext= Target (file) context

Log location: /var/log/audit/audit.log

Go deeper:

From Quiz: LIOS / SELinux Security | Updated: Jul 14, 2026