Provided by: policycoreutils_1.28-3_i386 bug


       audit2why - Translates SELinux audit messages into a description of why
       the access was denied


       audit2why [options]


       --help Print a short usage message

       -p <policyfile>
              Specify an alternate policy file.


       This utility processes SELinux audit messages from standard  input  and
       and reports which component of the policy caused each permission denial
       based on the specified policy file if the -p option  was  used  or  the
       active policy otherwise.  There are three possible causes: 1) a missing
       or disabled TE allow rule, 2) a constraint violation, or 3)  a  missing
       role  allow  rule.    In the first case, the TE allow rule may exist in
       the  policy  but  may  be  disabled  due  to  boolean  settings.    See
       booleans(8).   If  the  allow  rule  is  not  present at all, it can be
       generated via audit2allow(1).  In the  second  case,  a  constraint  is
       being  violated;  see  policy/constraints or policy/mls to identify the
       particular constraint.  Typically, this can be  resolved  by  adding  a
       type attribute to the domain.  In the third case, a role transition was
       attempted but no allow rule existed for the role  pair.   This  can  be
       resolved by adding an allow rule for the role pair to the policy.


       $ /usr/sbin/audit2why < /var/log/audit/audit.log

       type=KERNEL msg=audit(1115316408.926:336418): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
               Was caused by:
                       Missing or disabled TE allow rule.
                       Allow rules may exist but be disabled by boolean settings; check boolean settings.
                       You can see the necessary allow rules by running audit2allow with this audit message as input.

       type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
               Was caused by:
                       Constraint violation.
                       Check policy/constraints.
                       Typically, you just need to add a type attribute to the domain to satisfy the constraint.


       This   manual  page  was  written  by  Dan  Walsh  <>,
       audit2why utility was written by Stephen Smalley <>.