How to monitor changes of the SELinux context of the files and directories

Created:

2017-03-13 11:39:35 UTC

Modified:

2017-08-08 13:44:00 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to monitor changes of the SELinux context of the files and directories

Applicable to:

  • Plesk for Linux

Question

How to monitor changes of the SELinux context of the files or directories?

Answer

  • On CentOS/RHEL 7, the following command could be used to get the log entries showing SELinux context changes:

    # grep resrc=fcontext /var/log/audit/audit.log | grep filename
    
  • On CentOS/RHEL 6, inotifywait utility of the inotify-tools should be used to monitor context change:

    • Install inotify-tools package from the EPEL repository:

      # yum install epel-release && yum install inotify-tools
      
    • Prepare a bash script with the following content:

      #!/bin/bash
      inotifywait -d -o /file/for/logging --timefmt '%d/%m/%y %H:%M:%S' --format '%T %w %e' -e attrib [files or directories to monitor]
    • Add the created script into the root's crontab in order to be executed on system startup after reboot:

      # crontab -e
      @reboot /path/to/script/script.sh >> /root/script-output.log 2>&1

Additionally, the setroubleshoot package could be installed to analyze and diagnose SELinux problems:

# yum install setroubleshoot
Have more questions? Submit a request
Please sign in to leave a comment.