SELINUX: Diagnose and address routine SELinux policy violations.

Share this link

Note: This is an RHCSA 7 exam objective.

Introduction

In RHEL 7, each package doesn’t store its own SELinux policy. The SELinux policy is stored in one and only one package called selinux-policy-targeted.

When a policy has been written for a given process and SELinux is in Permissive or Enforcing mode, all action not allowed by the SELinux policy will trigger a violation.

The following procedure will give you some details about any SELinux policy violation.

Main Procedure

Install the setroubleshoot-server package:

# yum install -y setroubleshoot-server

Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!

Display the SELinux policy violations:

# sealert -a /var/log/audit/audit.log

In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.

For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:

type=AVC msg=audit(1415714880.156:29): avc:  denied  { name_connect } for  pid=1349 \
  comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
  tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Execute this command to get a diagnostic:

# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow httpd to act as a relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Description:
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1

This will make your investigation much easier!

Additional Resources

Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).
During the 2016 DevConf.cz a presentation was given about the Big SElinux Troubleshooting Chart (95min/2016) (pdf here).

Beyond the exam objectives, you could be interested in this post from Dan Walsh about SELinux Users and Roles.
The mgrepl website also provides very interesting articles about SELinux security policy.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

5 Comments on "SELINUX: Diagnose and address routine SELinux policy violations."

Notify of
Sort by:   newest | oldest
leme
Guest
leme

Man THANK YOU SO MUCH for putting this all together

hallo
Member
hallo

On a centOS 7.3 GUI install, I get sealert messages in /var/log/messages as well as the raw AVC lines in audit.log

However, on a RHEL 7.3 minimal install, which has auditd and rsyslog enabled by default, I only get AVC lines in audit.log – nothing about SELinux denials in /var/log/messages

Any idea why ? Is there something that I just need to turn on ?
I do like the sealert messages. I know you can get them (but all at once – not pretty!) with sealert -a audit.log

hallo
Member
hallo

To get the logging to /var/log/messages with a human friendlier form of time displayed with them, you just have to do:
yum install -y setroubleshoot-server && reboot
For whatever reason, a reboot is mandatory. I suspect it’s because the auditd service can’t be restarted on a running system – a bit Windowsy. Restarting the rsyslog service doesn’t seem to help.
Then it’s neat to do tail -f /var/log/messages | grep sealert to view simple, live alerts, as they come in.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user account named "tony" with password “redhat” and belonging to a secondary group called “team”.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...