6 Troubleshooting Access-Denial Messages
This chapter provides information about how to troubleshoot access-denial messages.
The decisions that SELinux makes about allowing and denying access are stored in the Access
Vector Cache (AVC). If the auditing service (auditd
) isn't running, SELinux
logs AVC denial messages to /var/log/messages
. Otherwise, the messages are
logged to the /var/log/audit/audit.log
file. If the
setroubleshootd
daemon is running, easier-to-read versions of the denial
messages are also written to /var/log/messages
.
If you have installed the setroubleshoot
and
setroubleshoot-server
packages, the auditd
and
setroubleshoot
services are running. If you're using the X Window System,
you can also use the sealert -b command to run the SELinux Alert
Browser, which displays information about SELinux AVC denials. To view the details of the
alert, click Show. To view a recommended solution, click Troubleshoot.
The following example shows how you would search the
/var/log/audit/audit.log
file for messages
containing the string denied
:
grep denied /var/log/audit/audit.log
type=AVC msg=audit(1364486257.632:26178): avc: denied { read } for
pid=5177 comm="httpd" name="index.html" dev=dm-0 ino=396075
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:acct_data_t:s0 tclass=file
The main causes of access-denial problems include the following:
-
Context labels for an application or file are incorrect.
A solution might be to change the default file type of the directory hierarchy. For example, change the default file type from
/var/webcontent
tohttpd_sys_content_t
:sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/webcontent(/.*)?" sudo /sbin/restorecon -R -v /var/webcontent
-
A Boolean that configures a security policy for a service is set incorrectly.
A solution might be to change the value of a Boolean. For example, you can open users' home directories to be browsable by turning on
httpd_enable_homedirs
:sudo setsebool -P httpd_enable_homedirs on
-
A service is accessing a port to which a security policy prohibits access.
If the service's use of the port is valid, a solution is to use semanage to add the port to the policy configuration. For example, to set the Apache HTTP server to listen on port 8000:
sudo semanage port -a -t http_port_t -p tcp 8000
-
An update to a package causes an application to behave in a way that breaks an existing security policy.
You can use the audit2allow -w -a command to view the reason why an access denial occurred.
If you then run the audit2allow -a -M module command, it creates a type enforcement (
.te
) file and a policy package (.pp
) file. You can use the policy package file with the semodule -i module.pp command to stop the error from reoccurring. This procedure is typically intended to make package updates function until an updated policy is available. If used incorrectly, you can create potential security holes on the system.