SELINUX: Diagnose and address routine SELinux policy violations.

Share this link

Note: This is an RHCSA 7 exam objective.

Main Procedure

Install the setroubleshoot-server package:

# yum install -y setroubleshoot-server

Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!

Display the SELinux policy violations:

# sealert -a /var/log/audit/audit.log

In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.

For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:

type=AVC msg=audit(1415714880.156:29): avc:  denied  { name_connect } for  pid=1349 \
  comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
  tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Execute this command to get a diagnostic:

# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow httpd to act as a relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Description:
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1

This will make your investigation much easier!

Additional Resources

Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

2 Comments on "SELINUX: Diagnose and address routine SELinux policy violations."

Notify of
Sort by:   newest | oldest
leme
Guest
leme

Man THANK YOU SO MUCH for putting this all together

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create two users "tom" and "engine". "tom" has the UID/GID 3000 and "engine" the UID/GID 4000. "engine" doesn't have an interactive shell.

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments