Correcting SELinux denials including silent denials
July 15, 2024
SELinux is a security enhancement for Linux that will encourage you to throw your server into a lake soon.
This is not by any means an exhaustive guide to SELinux, just a basic troubleshooting procedure that might work or at least give you a starting point for where to investigate for the cause of your problem.
First, be sure the Security Auditing Service is running and correct if not.
systemctl status auditdDon't forget to temporarily disable dontaudit rules so that we can see the utter ridiculousness that is known as "silent denials":
semodule -DBSet up a tail on audit.log:
tail -f /var/log/audit/audit.logIn a new terminal window, replicate the scenario that is causing the problem. You may or may not wish to place SELinux in Permissive mode first. In Permissive mode, everything will be logged, but all actions will be allowed. It can be useful if SELinux causes your application to crash in Enforcing mode.
setenforce PermissiveReturn to audit.log and inspect the latest data in the file. Try to determine what is relevant to the command you are running, and copy and paste those lines to a text file. Hint: Look for msg=audit near the beginning of a line to determine if log entries are related. If it is not obvious which raw audit messages you need, here is another way to obtain them which may be easier:
journalctl -ft setroubleshoot sealert -l whatever-string-it-gives-you-in-the-journal ausearch --context context_name_you_found_in_sealert --rawOptional: find out some more information about the log entries you have chosen.
audit2why < the_file_you_just_madeUse audit2allow to build a policy rule.
audit2allow -M descriptive_policy_rule_name < the_file_you_just_madeNow install your policy rule:
semodule -i descriptive_policy_rule_name.ppIf you placed SELinux into Permissive mode earlier, undo that.
sudo setenforce EnforcingAttempt to replicate the scenario that is causing the problem. It may work properly at this point, or there may be additional problems that indicate you do not get paid enough for this job. Other helpful commands: List modules: semodule -l remove a module at priority 400: semodule -r modulename remove a module at some other priority: semodule --priority=300 -r modulename find out what priority a module is at: find /var/lib/selinux -iname "*somethingtosearchfor*"