Introduction

SELinux or Security Enhanced Linux is a set of access controls developed by the NSA (National Security Administration) of the United States. It’s aim is to provide more fine-grained control over what applications and users are allowed to access on the system and how they are allowed to access it.

Description

Common SELinux troubleshooting techniques, commands and syntax.

Requirements

Explanation of requirements.

  1. Root or appropriate sudo access to the system in question, preferably a sandbox system.
  2. Some spare time to read and experiment.

Command Overview

Common SELinux related commands in alphabetical order:

ausearch – SELinux audit log search tool.
audit2allow – Generate SELinux policy allow rules from logs of denied operations.
audit2why – Determine which component of your policy caused a denial.
chcon – Tool for changing the SELinux context of files and directories.
fixfiles – Fixfiles is a shell script that wraps setfiles and restorecon.
getenforce – Tool for getting the SELinux enforcement state.
getsebool – Tool for getting SELinux boolean values.
matchpathcon – This is a simple tool that takes files/directories and prints the default security context of the files.
restorecon – Tool for reverting files back to the default labels.
semanage – Tool for managing SELinux policy mappings.
semodule – Tool for manipulating SELinux modules.
sestatus – Tool for retrieving the current SELinux status.
setenforce – Tool for setting the SELinux enforcement state.
setsebool – Tool for setting/toggling SELinux booleans.
setroubleshoot – GUI troubleshooting tool / daemon.
system-config-securitylevel-tui – Rudimentary tool for enabling/disabling/configuring SELinux and IPtables.

Common SELinux problems and solutions

  • Check the current status/state of SELinux on your system:
  • sestatus

  • Open special port:
  • semanage port -a -t http_port_t -p tcp 8081

  • Check that the port is added:
  • semanage port -l | grep 8081

  • Fix http proxy connect error: (for a list of other SELinux booleans see: getsebool)
  • setsebool -P httpd_can_network_connect true «- a value of ‘1’ / ‘0’ or ‘true’ / ‘false’ will work here

  • Fix database connect error: ‘Could not connect to the MySQL server: Can’t connect to MySQL server on ‘myserver.amazonaws.com’ (13)’
  • setsebool -P httpd_can_network_connect_db 1 «- a value of ‘1’ / ‘0’ or ‘true’ / ‘false’ will work here

  • Filesystem relabel: (requires reboot)
  • fixfiles -f -F relabel or: fixfiles onboot; reboot

  • List currently installed SELinux modules:
  • semodule -l

  • Relabel or change SELinux file contexts:
  • chcon -t httpd_sys_content_t -R /var/www
    chcon -t httpd_sys_content_t -R /home/john
    Note: Apache httpd files are served from /var/www/ on Centos for security reasons.

  • Search for recent SELinux AVC denials:
  • ausearch -m avc -ts recent
    ausearch -m avc -ts today

  • Determine why SELinux has denied an event:
  • ausearch -m avc -ts today | audit2why

  • View SELinux file contexts on a given directory and the files within it:
  • (You can also use getfattr although, you need to specify -n security.selinux)
    ls -Z
    getfattr -n security.selinux /var/www

  • Reset SELinux to its initial state:
    1. yum remove selinux-policy
    2. rm -rf /etc/selinux
    3. yum install selinux-policy-targeted
    4. fixfiles -f -F relabel
    5. reboot
  • Hand edit SELinux enforcement policy: (requires a reboot)
  • vi /etc/selinux/config

    Troubleshooting / How To Test

    Explanation troubleshooting basics and expectations.

    1. Check what SELinux related rpms you have installed:

    2. Output:

    3. Install and configure setroubleshoot to help you isolate and fix SELinux AVC denials:
    4. yum install setroubleshoot*
      chkconfig --level 2345 setroubleshoot on

    5. Use ausearch to locate denials and make policies.
    6. ausearch -m avc -ts recent
      ausearch -m avc -ts today

    Common Problems & Fixes

    Added Reading
Last Modified: 29 Jan, 2016 at 15:21:32