Troubleshooting selinux: Difference between revisions

I know enough about SELinux to be "labelled" a newbie (and make bad puns). I've had a bit more experience dealing with IPTables.

With the disclaimers out of the way, I just had to fix an SELinux problem on RHEL 6 yesterday so I can share with you what I did. I had just setup a code review system called ReviewBoard, however I could not configure ReviewBoard with any repositories - even though I could query those repositories from the command line. I suspected SELinux was blocking my application from communicating with the Interwebs.

Since mine was a "workstation" variety of RHEL6, I installed the SETroubleShoot application, so that I could avail myself of the sealert program. However, I was connected via SSH session and was unable to get X-forwarding to work. Without ready access to the graphical user interface of SETroubleshoot, I just examined the log files (/var/log/audit/audit.log for the most part, but I also took a look at /var/log/messages) for the signs that SELinux was blocking my application.

Indeed it was.

I saw messages like this (blocking the system's use of memcached):

type=AVC msg=audit(1396381963.998:5457): avc:  denied  { name_connect } for  pid=11141 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

I found out that I could use a tool called audit2allow^[1] to turn those error messages into policies which could be loaded into SELinux.

yum install setroubleshoot
# monitor the log files for DENIED
tail -f /var/log/audit/audit.log /var/log/messages
# Ctrl + C to cancel monitoring those files

# use the audit2allow tool to turn messages into a policy module
cat /var/log/audit/audit.log | audit2allow -M local
# install that policy module
semodule -i local.pp

Turn off SELinux

Alternatively, you can just turn off SELinux and reboot the machine.

echo 0 > /selinux/enforce

References