How to Troubleshoot SELinux issue

Today, lets check about SElinux and see how to troubleshoot SELinux issue.

SELinux

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).  

SELinux was released to the open source community in 2000, and was integrated into the upstream Linux kernel in 2003.

How does SELinux work?

SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy. 

When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.

If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied. 

If permission is denied, an “avc: denied” message will be available in /var/log.messages.

How to handle SELinux errors

When you get an error in SELinux there is something that needs to be addressed. It is likely 1 of these 4 common problems:

1. The labels are wrong. If your labeling is incorrect you can use the tools to fix the labels.
2. A policy needs to be fixed. This could mean that you need to inform SELinux about a change you’ve made, or you might need to adjust a policy. You can fix it using booleans or policy modules.
3. There is a bug in the policy. It could be that a bug exists in the policy that needs to be addressed.
4. The system has been broken in to. Although SELinux can protect your systems in many scenarios, the possibility for a system to be compromised still exists. If you suspect that this is the case, take action immediately.

Issue:

Unable to start the service – My case HTTPD, it can be any service, you can change as per your scenario.

Solution:

You can try to start the service and check what is happening, when you try to start the service, you may able to get what is happening and where it is failing. Systemd capture the data and displays detailed error.

Check the real time troubleshooting on,

Check the status of the service,

# systemctl status httpd

Try to start httpd:

# systemctl start httpd

Run the status again:

# systemctl status httpd.service

Check if the issue is with SELinux by disabling it:

# setenforce 0

now Restart httpd service and check the status.

# systemctl start httpd

Check the status of httpd:

# systemctl status httpd.service

If the service started fine, then we have confirmed issue is with selinux, but disabling the selinux is not our goal, so let’s stop the service and enable the selinux.
To Stop httpd service, run,

# systemctl stop httpd

To enable SELinux, run

# setenforce 1

As we aware the issue with selinux, but we are not sure it is service or port, (mostly it is due to port, as you can see the service is trying to start in systemctl, but port has permission denied).

You can Review SELinux-related logs by running below command to check what was the actual issue.

# ausearch -m avc -ts recent

Also, you can review the audit logs and scroll up to the httpd section once it is loaded:

# sealert -a /var/log/audit/audit.log

As this related to post, you can run following command to confirm what are the ports are allowed in selinux. To verify http ports:

# semanage port -l | grep http

With this we know, the port is missing, you can running following command to add the port to selinux.

# semanage port -a -t http_port_t -p tcp 9091

Once you have added, you Verify the port 9091 is listed:

# semanage port -l | grep http

Once you can see the port, now you can start httpd service and see the status, the service should be up and running.

# systemctl start httpd

Check the status:

# systemctl status httpd

You can follow us on social media, to get some regular updates

• Facebook: https://www.facebook.com/foxutech/
• Instagram: https://www.instagram.com/foxutech/
• YouTube: Foxutech
• Twitter: https://twitter.com/foxutech
• Medium: FoxuTech – Medium