selinux auditing reports

Some simple commands to check and see if selinux is blocking something on your server. To display a list of all events, run these commands:

$ sudo aureport -a

    AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
186. 12/26/2018 21:59:36 httpd system_u:system_r:httpd_t:s0 42 tcp_socket name_connect system_u:object_r:mysqld_port_t:s0 denied 6495
$ sudo aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
4080  /usr/sbin/crond
1723  /usr/bin/sudo
1690  /usr/sbin/sshd
368  /usr/sbin/xtables-multi
299  /usr/lib/systemd/systemd
210  /usr/sbin/httpd
172  /usr/bin/python2.7
42  /usr/sbin/ebtables-restore
42  /usr/bin/su
40  /usr/bin/kmod
20  /usr/sbin/groupadd
13  /usr/sbin/tcpdump
11  /usr/sbin/useradd
7  /usr/lib/systemd/systemd-update-utmp
6  /usr/sbin/load_policy

If you'd like additional information on that specific daemon entry, you can run this command, passing the event number as a parameter. The event number is the last entry on each line in the above command (6495 in that example).

$ sudo ausearch -a XXXX

This will verbosely display every aspect of the daemon event, I won't post an example here right now because I'm too lazy to sanitize it. :)