SELINUX: Diagnose and address routine SELinux policy violations.

Share this link

Note: This is an RHCSA 7 exam objective.


In RHEL 7, each package doesn’t store its own SELinux policy. The SELinux policy is stored in one and only one package called selinux-policy-targeted.

When a policy has been written for a given process and SELinux is in Permissive or Enforcing mode, all action not allowed by the SELinux policy will trigger a violation.

The following procedure will give you some details about any SELinux policy violation.

Main Procedure

Install the setroubleshoot-server package:

# yum install -y setroubleshoot-server

Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!

Display the SELinux policy violations:

# sealert -a /var/log/audit/audit.log

In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.

For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:

type=AVC msg=audit(1415714880.156:29): avc:  denied  { name_connect } for  pid=1349 \
  comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
  tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Execute this command to get a diagnostic:

# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why

        Was caused by:
        One of the following booleans was set incorrectly.
        Allow httpd to act as a relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1

This will make your investigation much easier!

Additional Resources

Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).

Beyond the exam objectives, you could be interested in this post from Dan Walsh about SELinux Users and Roles.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

2 Comments on "SELINUX: Diagnose and address routine SELinux policy violations."

Notify of
Sort by:   newest | oldest

Man THANK YOU SO MUCH for putting this all together


RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...