Troubleshooting SELinux

SELinux is one of the most powerful security features on your Fedora system. It’s like the valet key for your computer services, just allowing them to access approved data. SELinux builds on its early reputation for being difficult. It now has configurable policies for the most popular applications, and provides additional security and confidence. However, sometimes mistakes do happen, and this article will help you deal with them.

Prerequisites

This article assumes two things:

  1. You know the basics of SELinux. If you don’t know the basics of SELinux, now is a great time to do it.
  2. You are using SELinux in enforcing mode. Enforcing is the normal and expected way to start Fedora. If you have disabled SELinux, you need to enable it. Edit the / etc / sysconfig / selinux file to set SELINUX = permissive. Using the permissive mode ensures that any radical problems can still be fixed automatically using the following commands. Then follow these steps:
    sudo fixfiles -F onboot
    reboot

    The boot process can take longer than usual because SELinux relabels all files created while it was disabled. This can take a while on very large filesystems, so be patient.

Don’t be surprised if you start seeing errors after relabelling files if you’ve been in disabled mode for a while. Working in disabled mode is like gluing wallpaper through a leak. When you remove the wallpaper, you will likely find water damage. Likewise, if you are already working without SELinux enabled, you have probably created more problems that currently need to be addressed.

After the machine restarts, you can switch to enforcing mode:

sudo setenforce 1

Is this really in selinux?

A good way to tell if SELinux is at fault is to set the permissive mode. This means SELinux logs an error, but still allows activity. To do this, run the following command:

sudo setenforce 0

Then try the process again, in a different terminal, if necessary. If the SELinux policy succeeds, an error occurs. To find errors within the last 10 minutes, use the ausearch command:

sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent

If the process is still not in permissive mode, then the problem is most likely not a SELinux policy. In this case, make sure to run sudo setenforce 1 to return to enforcing mode. Remember this parameter is global

Defining the problem

You can usually spot SELinux errors through the AVC message. One of the parameters of the AVC message is the command that generates the message. For example, you can see comm = ”/ usr / sbin / httpd” in the SELinux error message that is generated by the Apache web server.

The problem will also tell you the source context (scontext) of the acting part of your system, and the target context (tcontext) of the thing it tried to act on. Often, but not always, the source is a binary and target file. To understand errors better, you can use SELinux Troubleshooter. You can install this with the tool software in Fedora Workstation, or use sudo with dnf in a terminal:

sudo dnf install setroubleshoot

To launch the program, use Browse in Fedora Workstation to find the SELinux Troubleshooter, or run from a terminal:

sealert

You can find the latest alerts in the browser that appears:

On this screen, for example, you can get a list of all the warnings present in the system in order to eliminate them systematically.

Solution to the problem

When you select problems, you will see several options for your error.

Troubleshooting SELinux

In this case, the user created an index.html file in his home directory and used the mv command to move it to the / var / www / html / directory that will be served by the Apache web server. By pointing to http: //localhost/index.html in the web browser, this error occurred.

Notice how each selection gives you a specific set of commands that you can run to solve the problem. In this case, there is a boolean option that allows the action to be allowed in the future even if SELinux enforces the policy.

However, just because there is a boolean value, does not meanthat you have to turn it on without understanding it. In this case, if you enable boolean, the Apache web server will be able to read any user content whose permissions allow access to files. So in this case, if we could instead ask, “Why does this file have a context?” In this case, it is because the user moved the file. This means that the file has been moved by its old links to a new location, instead of receiving a new default context that allows the web server to read the contents in / var / www / html.

In this case, a better idea is to simply restore the correct file context:

sudo restorecon -rv /var/www/html/index.html
Relabeled /var/www/html/index.html from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

A note on boolean operations in SELinux

There are many boolean operations available. Each of these allows you to set the broad access class that you would expect for your application to function. To see the entire list and their current settings, run the following command:

semanage boolean -l

If you install the selinux-policy-devel package first, you can also see a short description for each boolean operation when you run the command above:

SELinux boolean State Default Description

abrt_anon_write (off, off) Allow ABRT to modify public files used for public file transfer services.
abrt_handle_event (off, off) Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.
abrt_upload_watch_anon_write (on, on) Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.
antivirus_can_scan_system (off, off) Allow antivirus programs to read non security files on a system
...

To set boolean temporarily run this command, where boolname is the name of the boolean value and value is either on or 1, or off or 0.

setsebool boolname=value

To install it permanently, add the -P switch:

setsebool -P boolname=value

Conclusion

There are other functions you can perform to solve problems in SELinux, such as creating a specific policy module for your system. You can find them in the SELinux manual (https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/index.html) which is helpful for understanding these functions.

Sidebar