Description

Common SELinux troubleshooting techniques, commands and syntax.

Requirements

Explanation of requirements.

  1. Root or appropriate sudo access to the system in question.
  2. Some spare time to read and experiment.

Doing the Work

Basic description of what will be done and what is expected.

  1. Common SELinux related commands in alphabetical order:
  2. ausearch – SELinux audit log search tool.
    audit2allow – Generate SELinux policy allow rules from logs of denied operations.
    audit2why – Determine which component of your policy caused a denial.
    chcon – Tool for changing the SELinux context of files and directories.
    fixfiles – Fixfiles is a shell script that wraps setfiles and restorecon.
    getenforce – Tool for getting the SELinux enforcement state.
    getsebool – Tool for getting SELinux boolean values.
    matchpathcon – This is a simple tool that takes files/directories and prints the default security context of the files.
    restorecon – Tool for reverting files back to the default labels.
    semanage – Tool for managing SELinux policy mappings.
    semodule – Tool for manipulating SELinux modules.
    sestatus – Tool for retrieving the current SELinux status.
    setenforce – Tool for setting the SELinux enforcement state.
    setsebool – Tool for setting/toggling SELinux booleans.
    setroubleshoot – GUI troubleshooting tool / daemon.
    system-config-securitylevel-tui – Rudimentary tool for enabling/disabling/configuring SELinux and IPtables.

  3. Common SELinux problems and solutions:
  4. Open special port:
    semanage port -a -t http_port_t -p tcp 8081

    Check that the port is added:
    semanage port -l | grep 8081

    Fix http proxy connect error: (for a list of other SELinux booleans see: getsebool)
    setsebool -P httpd_can_network_connect true

    Filesystem relabel: (requires reboot)
    fixfiles -f -F relabel
    or:
    fixfiles onboot; reboot

    List currently installed SELinux modules:
    semodule -l

    Relabel or change SELinux file contexts:
    chcon -t httpd_sys_content_t -R /home/$foo
    Note: Apache httpd files are served from /var/www/ on Centos for security reasons.

    Search for recent SELinux AVC denials:
    ausearch -m avc -ts recent
    ausearch -m avc -ts today

    Determine why SELinux has denied an event:
    ausearch -m avc -ts today | audit2why

    View SELinux file contexts on a given directory and the files within it:
    ls -Z
    (You can also use getfattr although, you need to specify -n security.selinux)
    getfattr -n security.selinux /tmp/$foo

    Reset SELinux to its initial state:
    yum remove selinux-policy
    rm -rf /etc/selinux
    yum install selinux-policy-targeted
    fixfiles -f -F relabel
    reboot

    Hand edit SELinux enforcement policy: (requires a reboot)
    vi /etc/selinux/config

  5. Check the current state of SELinux on your system:
  6. sestatus

Troubleshooting / How To Test

Explanation troubleshooting basics and expectations.

  1. Check what SELinux related rpms you have installed:
  2. rpm -q checkpolicy libselinux libselinux-python libselinux-utils libsemanage libsepol mcstrans policycoreutils policycoreutils-gui selinux-policy selinux-policy-minimum selinux-policy-mls selinux-policy-strict selinux-policy-targeted setroubleshoot setroubleshoot-server setroubleshoot-plugins setools setools-gui

  3. Install and configure setroubleshoot to help you isolate and fix SELinux AVC denials:
  4. yum install setroubleshoot*
    chkconfig –level 2345 setroubleshoot on

Common Problems & Fixes

Describe common problems here, include links to known common problems if on another site

More Information

Any additional information or notes.

Disclaimer

We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net

Added Reading

Last Modified: 9 Dec, 2015 at 22:59:49