selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Help with an SELinux AVC event...

Help with an SELinux AVC event...

From: Hasan Rezaul-CHR010 <CHR010_at_nospam>
Date: Thu Jan 07 2010 - 20:37:32 GMT
To: "Stephen Smalley" <>, "Tomas, Gregg A (IS)" <>

Hi All,

I have a C application task called "sswd" on my Linux system, that opens up the /var/log/audit/audit.log file every 5 seconds, and checks to see if there are any new AVC denies.

I have had this same task doing the same thing for the last few years on a Linux system running selinux. And I have never seen these events in audit.log before complaining about the sswd task... I used to use older selinux packages, and ran the Fedora Core 7 'strict' policy together with some custom policies.

Recently we upgraded our SELinux packages to the very latest (similar to Fedora 12), and we are using Refpolicy as a base policy.

In the /var/log/audit/audit.log file, I see the following event pop up every 5 seconds, and I am guessing its because "sswd" tries to open up the audit.log file every 5 seconds for reading.

  1. Can you help me understand what this event is really saying?
  2. I have already taken the audit.log file, and used audit2allow to generate any allow rules necessary, but it didnt help to get rid of this particular event.
  3. Can I add any specific policy allow lines or transition rules in my custom policy files to get rid of this repeated event ?

Thanks in advance.

The event that pops up every 5 seconds in audit.log is: type=SYSCALL msg=audit(1262874266.422:260): arch=14 syscall=5 success=yes exit=24 a0=1002b9e4 a1=0 a2=1b6 a3=1b6 items=1 ppid=2463 pid=2794 auid=4294967295 uid=0 gid=601 euid=0 suid=0 fsuid=0 egid=601 sgid=601 fsgid=601 tty=(none) ses=4294967295 comm="sswd" exe="/usr/app/bin/sswd" subj=system_u:system_r:init_t:s0-s15:c0.c255 key="LOG_audit" type=CWD msg=audit(1262874266.422:260): cwd="/data" type=PATH msg=audit(1262874266.422:260): item=0 name="/var/log/audit/audit.log" inode=2061 dev=fd:07 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s15:c0.c255

root@hapWibbSc2:/var/log/audit# ps -eZ | grep sswd system_u:system_r:init_t:s0-s15:c0.c255 2781 ? 00:00:00 sswd

root@hapWibbSc2:/var/log/audit# cd /usr/app/bin root@hapWibbSc2:/usr/app/bin# ls -l sswd
-rwxrwxr-x 1 root root 217204 Jan 1 07:49 sswd
root@hapWibbSc2:/usr/app/bin# cd /var/log/audit/ root@hapWibbSc2:/var/log/audit# root@hapWibbSc2:/var/log/audit# ls -lZ
-rw------- root root system_u:object_r:auditd_log_t:s15:c0.c255 audit.log


This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.