Common SELinux troubleshooting techniques, commands and syntax.

Applicable to Centos Versions:

  • Centos 5.x
  • Centos 6.x

Requirements

Explanation of requirements.

  1. Root or appropriate sudo access to the system in question.
  2. Some spare time to read and experiment.

Doing the Work

Basic description of what will be done and what is expected.

  1. Common SELinux related commands in alphabetical order:
    2. ausearch - SELinux audit log search tool.
audit2allow -  Generate SELinux policy allow rules from logs of denied operations.
audit2why - Determine which component of your policy caused a denial.
chcon - Tool for changing the SELinux context of files and directories.
fixfiles - Fixfiles is a shell script that wraps setfiles and restorecon.
getenforce - Tool for getting the SELinux enforcement state.
getsebool - Tool for getting SELinux boolean values.
matchpathcon - This is a simple tool that takes files/directories and prints the default security context of the files.
restorecon - Tool for reverting files back to the default labels.
semanage - Tool for managing SELinux policy mappings.
semodule - Tool for manipulating SELinux modules.
sestatus - Tool for retrieving the current SELinux status.
setenforce - Tool for setting the SELinux enforcement state.
setsebool - Tool for setting/toggling SELinux booleans.
setroubleshoot - GUI troubleshooting tool / daemon.
system-config-securitylevel-tui - Rudimentary tool for enabling/disabling/configuring SELinux and IPtables.
  2. Common SELinux problems and solutions:
    3. Open special port:
semanage port -a -t http_port_t -p tcp 8081

Check that the port is added:
semanage port -l | grep 8081

Fix http proxy connect error: (for a list of other SELinux booleans see: getsebool)
setsebool -P httpd_can_network_connect true

Filesystem relabel: (requires reboot)
fixfiles -f -F relabel
or:
fixfiles onboot; reboot

List currently installed SELinux modules:
semodule -l

Relabel or change SELinux file contexts:
chcon -t httpd_sys_content_t -R /home/$foo
Note: Apache httpd files are served from /var/www/ on Centos for security reasons.

Search for recent SELinux AVC denials:
ausearch -m avc -ts recent
ausearch -m avc -ts today

Determine why SELinux has denied an event:
ausearch -m avc -ts today | audit2why

View SELinux file contexts on a given directory and the files within it:
ls -Z
(You can also use getfattr although, you need to specify -n security.selinux)
getfattr -n security.selinux /tmp/$foo

Reset SELinux to its initial state:
yum remove selinux-policy
rm -rf /etc/selinux
yum install selinux-policy-targeted
fixfiles -f -F relabel
reboot

Hand edit SELinux enforcement policy: (requires a reboot)
vi /etc/selinux/config
  3. Check the current state of SELinux on your system:
    4. sestatus

Troubleshooting / How To Test

Explanation troubleshooting basics and expectations.

  1. Check what SELinux related rpms you have installed:
    2. rpm -q checkpolicy libselinux libselinux-python libselinux-utils libsemanage libsepol mcstrans policycoreutils policycoreutils-gui selinux-policy selinux-policy-minimum selinux-policy-mls selinux-policy-strict selinux-policy-targeted setroubleshoot setroubleshoot-server setroubleshoot-plugins setools setools-gui
  2. Install and configure setroubleshoot to help you isolate and fix SELinux AVC denials:
    3. yum install setroubleshoot*
chkconfig --level 2345 setroubleshoot on

Common Problems & Fixes

Describe common problems here, include links to known common problems if on another site

Subscribe to CentOS Help RSS Feed

© 2012 CentosHelp.org