Note: This is an RHCSA 7 exam objective.
Introduction
In RHEL 7, each package doesn’t store its own SELinux policy. The SELinux policy is stored in one and only one package called selinux-policy-targeted.
When a policy has been written for a given process and SELinux is in Permissive or Enforcing mode, all action not allowed by the SELinux policy will trigger a violation.
The following procedure will give you some details about any SELinux policy violation.
Main Procedure
Install the setroubleshoot-server package:
# yum install -y setroubleshoot-server
Note: In fact, it’s the policycoreutils-python package that really contains the semanage command. However, I have always found the setroubleshoot-server package name, that contains the policycoreutils-python package itself, easier to remember!
Display the SELinux policy violations:
# sealert -a /var/log/audit/audit.log
In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.
For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:
type=AVC msg=audit(1415714880.156:29): avc: denied { name_connect } for pid=1349 \ comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \ tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Execute this command to get a diagnostic:
# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why Was caused by: One of the following booleans was set incorrectly. Description: Allow httpd to act as a relay Allow access by executing: # setsebool -P httpd_can_network_relay 1 Description: Allow HTTPD scripts and modules to connect to the network using TCP. Allow access by executing: # setsebool -P httpd_can_network_connect 1
This will make your investigation much easier!
Additional Resources
Jens Depuydt’s blog provides a good article called SELinux in a practical way about this topic.
Sander van Vugt offers an interesting video about Fixing SELinux Issues (48min/2015).
In addition, Red Hat provides a video about Monitoring SELinux Violations (10min/2016).
During the 2016 DevConf.cz a presentation was given about the Big SElinux Troubleshooting Chart (95min/2016) (pdf here).
Beyond the exam objectives, you could be interested in this post from Dan Walsh about SELinux Users and Roles.
The mgrepl website also provides very interesting articles about SELinux security policy.
Man THANK YOU SO MUCH for putting this all together
Thanks.
On a centOS 7.3 GUI install, I get
sealert
messages in/var/log/messages
as well as the rawAVC
lines inaudit.log
However, on a RHEL 7.3 minimal install, which has
auditd
andrsyslog
enabled by default, I only getAVC
lines inaudit.log
– nothing about SELinux denials in/var/log/messages
Any idea why ? Is there something that I just need to turn on ?
I do like the
sealert
messages. I know you can get them (but all at once – not pretty!) withsealert -a audit.log
To get the logging to
/var/log/messages
with a human friendlier form of time displayed with them, you just have to do:yum install -y setroubleshoot-server && reboot
For whatever reason, a reboot is mandatory. I suspect it’s because the
auditd
service can’t be restarted on a running system – a bit Windowsy. Restarting thersyslog
service doesn’t seem to help.Then it’s neat to do
tail -f /var/log/messages | grep sealert
to view simple, live alerts, as they come in.