avc_audit - Linux


avc_audit is a Linux command used to query and manipulate SELinux security policy audit settings. It provides detailed information about the current audit configuration, allowing administrators to fine-tune audit logging and monitoring.


avc_audit [options] <command> [arguments]


  • -a, –audit: View current audit settings.
  • -p, –policy: Specify the SELinux policy to query.
  • -c, –config: Load a new SELinux policy configuration.
  • -t, –type: Filter audit messages by message type.
  • -e, –event: Filter audit messages by event type.
  • -V, –version: Display the version information.
  • -h, –help: Print usage help.


View current audit settings:

avc_audit -a

Filter audit messages by type:

avc_audit -t login

Apply new SELinux policy configuration:

avc_audit -c /path/to/new_policy.conf

Common Issues

  • Access denied: Make sure you have sufficient privileges to run avc_audit.
  • Invalid policy: Verify that the specified policy file is a valid SELinux policy configuration.
  • No matching audits: Ensure that the filters specified match the audit messages you want to retrieve.


avc_audit can be combined with other SELinux commands to manage security configurations. For example:

audit2allow -m avc_audit

This command generates SELinux policy modifications based on audit messages from avc_audit.

Related Commands

  • ausearch: Search audit messages.
  • ausearch-parse: Parse audit messages.
  • seaudit: Control SELinux audits.