Trying to get more fluent with SELinux, it looks like
sealert -l <local-id>
would be a particularly useful way to get help with logged denials.
From what I understand, the local IDs used to be logged to /var/log/messages. But in Fedora 23, that's become the output of journalctl.
Both in the output of journalctl and in /var/log/audit/audit.log, I see messages like
type=AVC msg=audit(1450844231.007:161): avc: denied { getattr } for pid=840 comm="nginx" path="/home/web/fallback/index.html" dev="vda1" ino=1448751 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file permissive=0
that do not include the local ID. The local ID must be derivable from this information, because
sealert -a /var/log/audit/audit.log
analyzes the full log file and generates the local IDs. But that is slow and cumbersome, when I'd like information on just a single event.
Is there any easy way to find the local ID of a logged denial under Fedora 23, or an equally easy way to get the sealert message for a particular log item in audit.log without having to analyze the whole file and troll through long output?
Many thanks.
