Correcting SELinux denials including silent denials

SELinux is a security enhancement for Linux that will encourage you to throw your server into a lake soon. This is not by any means an exhaustive guide to SELinux, just a basic troubleshooting procedure that might work or at least give you a starting point for where to investigate for the cause of your problem. First, be sure the Security Auditing Service is running and correct if not.

systemctl status auditd

Don't forget to temporarily disable dontaudit rules so that we can see the utter ridiculousness that is known as "silent denials":

semodule -DB

Set up a tail on audit.log:

tail -f /var/log/audit/audit.log

In a new terminal window, replicate the scenario that is causing the problem. You may or may not wish to place SELinux in Permissive mode first. In Permissive mode, everything will be logged, but all actions will be allowed. It can be useful if SELinux causes your application to crash in Enforcing mode.

setenforce Permissive

Return to audit.log and inspect the latest data in the file. Try to determine what is relevant to the command you are running, and copy and paste those lines to a text file. Hint: Look for msg=audit near the beginning of a line to determine if log entries are related. If it is not obvious which raw audit messages you need, here is another way to obtain them which may be easier:

journalctl -ft setroubleshoot
sealert -l whatever-string-it-gives-you-in-the-journal
ausearch --context context_name_you_found_in_sealert --raw

Optional: find out some more information about the log entries you have chosen.

audit2why < the_file_you_just_made

Use audit2allow to build a policy rule.

audit2allow -M descriptive_policy_rule_name < the_file_you_just_made

Now install your policy rule:

semodule -i descriptive_policy_rule_name.pp

If you placed SELinux into Permissive mode earlier, undo that.

sudo setenforce Enforcing

Attempt to replicate the scenario that is causing the problem. It may work properly at this point, or there may be additional problems that indicate you do not get paid enough for this job. Other helpful commands: List modules: semodule -l remove a module at priority 400: semodule -r modulename remove a module at some other priority: semodule --priority=300 -r modulename find out what priority a module is at: find /var/lib/selinux -iname "*somethingtosearchfor*"