In this recipe, you will learn how to troubleshoot SELinux policies, which is most often needed when access to some SELinux objects has been denied and you need to find out the reasons for it. In this recipe, we will show you how to work with the sealert
tool, which will create human-readable and understandable error messages to work with.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges. It is assumed that you are working through this chapter recipe by recipe, so by now you should have installed the SELinux tools and applied the Working with policies recipe in this chapter, as we will produce some SELinux denial events in order to show you how to use the log file tools.
touch /var/www/html/test2.html semanage fcontext -a -t user_tmp_t /var/www/html/test2.html restorecon -v /var/www/html/test2.html curl http://localhost/test2.html
sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/sbin/httpd from open access on the file /var/www/html/test2.html. /var/www/html/test2.html default label should be httpd_sys_content_t
Here in this recipe, we showed you how easily one can troubleshoot SELinux problems using the sealert
program. We started by provoking a SELinux deny access problem by creating a new file in the web root directory and assigning it a wrong context type of value user_tmp_t
, which has no access rule defined in the httpd
policy. Then, we used the curl
command to try and fetch the website and actually produce the Access Vector Cache (AVC) denial message in the SELinux logs. Denial messages are logged when SELinux denies access. The primary source where all SELinux logging information is stored is the audit log file, which can be found at /var/log/audit/audit.log
, and easier-to-read denial messages will also be written to /var/log/messages
. Here, instead of manually grepping for error messages and combining both log files, we use the sealert
tool, which is a convenience program that will parse the audit and messages log file and present valuable AVC content in a human-readable format. At the end of each alert message, you will also find a suggested solution to the problem. Please note that those are auto-generated messages and should always be questioned before applying.