In this process, you will learn how to troubleshoot SELinux policies, which is most often needed when access to some SELinux objects has been denied and you need to find out the reasons for it. In this process, we will show you how to work with the sealert tool, which will create human-readable and understandable error messages to work with.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges. It is assumed that you are working through serially process by process, so by now you should have installed the SELinux tools and applied the Working with policies process, as we will produce some SELinux denial events in order to show you how to use the log file tools.
The Proces
- To begin, login as root and provoke a SELinux denial event:
touch /var/www/html/test2.html
semanage fcontext -a -t user_tmp_t /var/www/html/test2.html
restorecon -v /var/www/html/test2.html
curl http://localhost/test2.html - Now, let’s generate an up-to-date human readable log file:
sealert -a /var/log/audit/audit.log
- In the program’s output, you will get a detailed description of any SELinux problem and, at the end of each so called alert, you will even find a suggested solution to fix the problem; in our example, the alert of interest should read (the output is truncated) as shown next:
SELinux is preventing /usr/sbin/httpd from open access on the file
/var/www/html/test2.html.
/var/www/html/test2.html default label should be httpd_sys_content_t
How Does It Work?
Here in this process, we showed you how easily one can troubleshoot SELinux problems using the sealert program. We started by provoking a SELinux deny access problem by creating a new file in the web root directory and assigning it a wrong context type of value user_tmp_t, which has no access rule defined in the httpd policy. Then, we used the curl command to try and fetch the website and actually produce the Access Vector Cache (AVC) denial message in the SELinux logs. Denial messages are logged when SELinux denies access. The primary source where all SELinux logging information is stored in the audit log file, which can be found at /var/log/audit/audit.log, and easier-to-read denial messages will also be written to /var/log/messages. Here, instead of manually grepping for error messages and combining both log files, we use the sealert tool, which is a convenience program that will parse the audit and messages log file and present valuable AVC content in a human-readable format. At the end of each alert message, you will also find a suggested solution to the problem. Please note that those are auto-generated messages and should always be questioned before applying.