This article explains the steps to Set-UP SELinux security Context of new auditd destination on Oracle Linux, RHEL and CentOS
- Check the status of SELinux
# getenforce
Enforcing
- Check the security context of the default audit destination:
# ll -lZd /var/log/audit/
drwx------. root root system_u:object_r:auditd_log_t:s0 /var/log/audit/
# ll -lZ /var/log/audit/
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
- Create a new destination:
# ll -Zd /audit/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /audit/
- Change the auditd log destination:
# grep '/audit' /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
- To New destination, edit the /etc/audit/auditd.conf
log_file = /audit/audit.log
- Set-UP the auditd context on the new destination:
# semanage fcontext -a -t auditd_log_t /audit
# restorecon -Rv /audit/
- Check the updated SELinux context:
# ll -Zd /audit
drwxr-xr-x. root root unconfined_u:object_r:auditd_log_t:s0 /audit/
# ll -Z /audit/
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
Conclusion:
Change auditd log file to new destination while the SELinux is in the Enforcing mode enabled.