Troubleshooting selinux: Difference between revisions

Latest revision as of 13:30, 24 February 2025

I know enough about SELinux to be "labelled" a newbie (and make bad puns). I've had a bit more experience dealing with IPTables.

With the disclaimers out of the way, I just had to fix an SELinux problem on RHEL 6 yesterday so I can share with you what I did. I had just setup a code review system called ReviewBoard, however I could not configure ReviewBoard with any repositories - even though I could query those repositories from the command line. I suspected SELinux was blocking my application from communicating with the Interwebs.

Since mine was a "workstation" variety of RHEL6, I installed the SETroubleShoot application, so that I could avail myself of the sealert program. However, I was connected via SSH session and was unable to get X-forwarding to work. Without ready access to the graphical user interface of SETroubleshoot, I just examined the log files (/var/log/audit/audit.log for the most part, but I also took a look at /var/log/messages) for the signs that SELinux was blocking my application.

Indeed it was.

I saw messages like this (blocking the system's use of memcached):

type=AVC msg=audit(1396381963.998:5457): avc:  denied  { name_connect } for  pid=11141 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

I found out that I could use a tool called audit2allow^[1] to turn those error messages into policies which could be loaded into SELinux.

yum install setroubleshoot
# monitor the log files for DENIED
tail -f /var/log/audit/audit.log /var/log/messages
# Ctrl + C to cancel monitoring those files

# use the audit2allow tool to turn messages into a policy module
cat /var/log/audit/audit.log | audit2allow -M local
# install that policy module
semodule -i local.pp

Turn off SELinux

Alternatively, you can just turn off SELinux and reboot the machine.

echo 0 > /selinux/enforce

References

↑ online man page

[1] ↑ online man page

[1]

@@ Line 1: / Line 1: @@
-I know enough about [[SELinux]] to be "labelled" a newbie (and make bad puns).  I've had a bit more experience dealing with [IPTables]].
+I know enough about [[SELinux]] to be "labelled" a newbie (and make bad puns).  I've had a bit more experience dealing with [[IPTables]].
 With the disclaimers out of the way, I just had to fix an SELinux problem on [[RHEL]] 6 yesterday so I can share with you what I did. I had just setup a code review system called ReviewBoard, however I could not configure ReviewBoard with any repositories - even though I could query those repositories from the command line.  I suspected SELinux was blocking my application from communicating with the Interwebs.
@@ Line 12: / Line 12: @@
 I found out that I could use a tool called <code>audit2allow</code><ref>[http://fedoraproject.org/wiki/SELinux/audit2allow online man page]</ref> to turn those error messages into policies which could be loaded into SELinux.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 yum install setroubleshoot
 # monitor the log files for DENIED
@@ Line 22: / Line 22: @@
 # install that policy module
 semodule -i local.pp
-</source>
+</syntaxhighlight>
 == Turn off SELinux ==
 Alternatively, you can just turn off SELinux and reboot the machine.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 echo 0 > /selinux/enforce
-</source>
+</syntaxhighlight>
 {{References}}