Note: This is an RHCSA 7 exam objective.
Introduction
In RHEL 7, each package doesn’t store its own SELinux policy. The SELinux policy is stored in one and only one package called selinux-policy-targeted.
When a policy has been written for a given process and SELinux is in Permissive or Enforcing mode, all action not allowed by the SELinux policy will trigger a violation.
The following procedure will give you some details about any SELinux policy violation.
Main Procedure
Install the setroubleshoot-server package:
# yum install -y setroubleshoot-server
Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!
Display the SELinux policy violations:
# sealert -a /var/log/audit/audit.log
In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.
For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:
type=AVC msg=audit(1415714880.156:29): avc: denied { name_connect } for pid=1349 \
comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Execute this command to get a diagnostic:
# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow httpd to act as a relay
Allow access by executing:
# setsebool -P httpd_can_network_relay 1
Description:
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow access by executing:
# setsebool -P httpd_can_network_connect 1
This will make your investigation much easier!
Additional Resources
Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).
During the 2016 DevConf.cz a presentation was given about the Big SElinux Troubleshooting Chart (95min/2016) (pdf here).
Beyond the exam objectives, you could be interested in this post from Dan Walsh about SELinux Users and Roles.
The mgrepl website also provides very interesting articles about SELinux security policy.
Loading...
Upcoming Events (Local Time) 
Man THANK YOU SO MUCH for putting this all together
Thanks.
On a centOS 7.3 GUI install, I get
sealertmessages in/var/log/messagesas well as the rawAVClines inaudit.logHowever, on a RHEL 7.3 minimal install, which has
auditdandrsyslogenabled by default, I only getAVClines inaudit.log– nothing about SELinux denials in/var/log/messagesAny idea why ? Is there something that I just need to turn on ?
I do like the
sealertmessages. I know you can get them (but all at once – not pretty!) withsealert -a audit.logTo get the logging to
/var/log/messageswith a human friendlier form of time displayed with them, you just have to do:yum install -y setroubleshoot-server && rebootFor whatever reason, a reboot is mandatory. I suspect it’s because the
auditdservice can’t be restarted on a running system – a bit Windowsy. Restarting thersyslogservice doesn’t seem to help.Then it’s neat to do
tail -f /var/log/messages | grep sealertto view simple, live alerts, as they come in.