The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
The decisions that SELinux has made about allowing denying
access are stored in the Access Vector Cache (AVC). If the
auditing service (auditd
) is not running,
SELinux logs AVC denial messages to
/var/log/messages
. Otherwise, the messages
are logged to /var/log/audit/audit.log
. If
the setroubleshootd
daemon is running,
easier-to-read versions of the denial messages are also written
to /var/log/messages
.
If you have installed the setroubleshoot
and
setroubleshoot-server
packages, the
auditd
and setroubleshoot
services are running, and you are using the X Window System, you
can use the sealert -b command to run the
SELinux Alert Browser, which displays information about SELinux
AVC denials. To view the details of the alert, click
Show. To view a recommended
solution, click Troubleshoot.
If you do not use the SELinux Alert Browser, you can search in
/var/log/audit/audit.log
for messages
containing the string denied
, and in
/var/log/messages
for messages containing the
string SELinux is preventing
. For example:
# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1364486257.632:26178): avc: denied { read } for
pid=5177 comm="httpd" name="index.html" dev=dm-0 ino=396075
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:acct_data_t:s0 tclass=file
The main causes of access-denial problems are:
The context labels for an application or file are incorrect.
A solution might be to change the default file type of the directory hierarchy. For example, change the default file type from
/var/webcontent
tohttpd_sys_content_t
:#
/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/webcontent(/.*)?"
#/sbin/restorecon -R -v /var/webcontent
A Boolean that configures a security policy for a service is set incorrectly.
A solution might be to change the value of a Boolean. For example, allow users' home directories to be browsable by turning on
httpd_enable_homedirs
:#
setsebool -P httpd_enable_homedirs on
A service attempts to access a port to which a security policy does not allow access.
If the service's use of the port is valid, a solution is to use semanage to add the port to the policy configuration. For example, allow the Apache HTTP server to listen on port 8000:
#
semanage port -a -t http_port_t -p tcp 8000
An update to a package causes an application to behave in a way that breaks an existing security policy.
You can use the audit2allow -w -a command to view the reason why an access denial occurred.
If you then run the audit2allow -a -M
module
command, it creates a type enforcement (.te
) file and a policy package (.pp
) file. You can use the policy package file with the semodule -imodule
.pp command to stop the error from reoccurring. This procedure is usually intended to allow package updates to function until an amended policy is available. If used incorrectly, it can create potential security holes on your system.