SELINUX: Diagnose and address routine SELinux policy violations.

Share this link

Note: This is an RHCSA 7 exam objective.

Introduction

In RHEL 7, each package doesn’t store its own SELinux policy. The SELinux policy is stored in one and only one package called selinux-policy-targeted.

When a policy has been written for a given process and SELinux is in Permissive or Enforcing mode, all action not allowed by the SELinux policy will trigger a violation.

The following procedure will give you some details about any SELinux policy violation.

Main Procedure

Install the setroubleshoot-server package:

# yum install -y setroubleshoot-server

Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!

Display the SELinux policy violations:

# sealert -a /var/log/audit/audit.log

In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.

For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:

type=AVC msg=audit(1415714880.156:29): avc:  denied  { name_connect } for  pid=1349 \
  comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
  tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Execute this command to get a diagnostic:

# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow httpd to act as a relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Description:
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1

This will make your investigation much easier!

Additional Resources

Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).
During the 2016 DevConf.cz a presentation was given about the Big SElinux Troubleshooting Chart (95min/2016) (pdf here).

Beyond the exam objectives, you could be interested in this post from Dan Walsh about SELinux Users and Roles.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

5 Comments on "SELINUX: Diagnose and address routine SELinux policy violations."

Notify of
Sort by:   newest | oldest
leme
Guest
leme

Man THANK YOU SO MUCH for putting this all together

hallo
Member
hallo

On a centOS 7.3 GUI install, I get sealert messages in /var/log/messages as well as the raw AVC lines in audit.log

However, on a RHEL 7.3 minimal install, which has auditd and rsyslog enabled by default, I only get AVC lines in audit.log – nothing about SELinux denials in /var/log/messages

Any idea why ? Is there something that I just need to turn on ?
I do like the sealert messages. I know you can get them (but all at once – not pretty!) with sealert -a audit.log

hallo
Member
hallo

To get the logging to /var/log/messages with a human friendlier form of time displayed with them, you just have to do:
yum install -y setroubleshoot-server && reboot
For whatever reason, a reboot is mandatory. I suspect it’s because the auditd service can’t be restarted on a running system – a bit Windowsy. Restarting the rsyslog service doesn’t seem to help.
Then it’s neat to do tail -f /var/log/messages | grep sealert to view simple, live alerts, as they come in.

wpDiscuz

Upcoming Events (CET)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Configure a cron task to write the uptime at 2PM every day.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...