Quick wins with SELinux
If you’re reading this in the hope that all your SELinux woes will be magically resolved, I have some bad news for you. If you want to understand how to manage SELinux properly then you’re going to have to learn how to write a policy, and sooner or later I really hope that you will. In the mean time this post will provide you with a list of commands that should get you by 80% of the time, even if you don’t yet understand them.
Confirming a problem is being caused by SELinux
ausearch -m avc -ts recent
You probably have a suspicion. It could take a few hours before the thought comes to you, but sooner or later you’ll wonder “could it be SELinux causing this issue?”. When the thought comes, the above command will show you actions that were recently blocked by SELinux.
Identifying the cause of the problem
ausearch -m avc -ts recent | audit2why
So what now? You know that SELinux is the issue, you also know that simply running setenforce 0
isn’t the right way to address it. The audit2why utility will take an SELinux event (AVC) and attempt to identify the underlying cause of the problem.
Checking SELinux booleans
setsebool -P {{name}} on
Services can be configured quite differently and so SELinux policies have been created to also work differently. The way this is implemented is using booleans. You can think of SELinux booleans as a way of turning on or off a set of rules within the policy. A classic example of this is the httpd_allow_can_db_connect
. This boolean is disabled by default, but if you have a webserver running Apache that needs to connect to a database then you need to set this boolean to on before your webserver will be able to connect.
Checkout the full list of possible booleans by running getsebool -a
.
Check your file labels
ls -lZ /path/to/files
Another classic problem that admins will run in to is file labelling. Historically, if you decided that you’d prefer for your website to located under /srv/mysite
rather than the default of /var/www/html
you wouldn’t have had a problem. With SELinux, every file and folder in the file system has a label. If a process tries to perform an action (read or write) on a file with a label and there’s no rule within the policy to allow it then it will be denied.
If you find that your process is being blocked and suspect the files have been mislabelled first try running the restorecon -R
command. This will set the file labels to the defaults defined in the SELinux policy. If the labels are still wrong, use something along the lines of semanage fcontext -a -t httpd_sys_content_rw_t '/srv/mysite(/.*)?'
to change the labels of that location.
Disabling an individual policy
semodule -r httpd
If trying to resolve your particular SELinux problem just isn’t happening for you, you may be tempted just run setenforce 0
and update your /etc/selinux/config
file to disable SELinux outright. I would recommend instead using the above command to disable just the individual policy that is causing the problems.
Final Thoughts I wouldn’t say SELinux is easy to learn, but I would certainly say that it is worthwhile learning. Once you’ve got a handle on the basics you’ll start to see that disabling SELinux because it’s stopping Apache from connecting to your database server is a bit like disabling iptables because it was preventing incoming connections on port 80. It’s irresponsible to turn it off just because you’re too lazy to learn how to use it.