Introduction¶
Learn how to use audit logs and ausearch to investigate SELinux access denials. This topic is common in day-to-day Linux administration and is useful for RHCSA preparation because you must be able to perform the task from a terminal and then prove that it worked.
What You Will Learn¶
By the end of this guide, you should be able to:
- Identify when this task is required
- Run the main commands safely
- Verify the result from the command line
- Avoid common mistakes that cause exam and production problems
Required Knowledge¶
You should know how to open a shell, use sudo, edit text files with vi or another terminal editor, and read command output carefully. On RHEL, Rocky Linux, and AlmaLinux, most package examples use dnf. Ubuntu systems may use different package names or apt, but the core administration idea is usually similar.
Practical Command Examples¶
Run commands deliberately and verify each step before moving on.
sudo systemctl status auditd
sudo ausearch -m AVC -ts today
sudo ausearch -m AVC -ts recent -i
sudo tail -f /var/log/audit/audit.log
Command Explanation¶
The first command usually inspects the current state so you do not change the wrong object. The middle commands make the requested change. The final commands show the state after the change. For RHCSA tasks, this order matters: inspect, change, verify.
Use sudo when the operation changes system configuration, users, services, storage, firewall rules, or security settings. If a command fails, read the error before trying a different command.
Verification Commands¶
Use separate commands to confirm the result. Do not rely only on the command returning successfully.
sudo ausearch -m AVC -ts recent
sudo auditctl -s
Example output may look like this:
command completed successfully
expected setting is visible in the verification output
Common Mistakes¶
- auditd may not be running on minimal systems.
- Reading raw audit records without -i can make user and permission fields harder to understand.
RHCSA-Style Practice Task¶
Find SELinux AVC records from today and explain which process was denied access to which target.
After completing the task, write down the verification command you used and the exact output field that proves success.
Quick Checklist¶
- Confirm the target user, file, service, disk, or mount before changing it.
- Run the command with the correct option and full path when needed.
- Verify the result with an independent command.
- Make persistent changes only after the runtime test works.
- Keep a backup before editing critical configuration files.
Summary¶
This RHCSA topic is about doing a small administrative change correctly and proving the final state. Use a careful workflow: inspect the current configuration, apply the minimum required change, test it immediately, and make it persistent only when the task requires persistence.