Troubleshooting SELinux
From EnGardeWiki
Contents |
Description
Being that SELinux is a very complex system, there could potentially be requirements for program to integrate with your EnGarde Secure Linux system that the SELinux Policy might not already be equipped to handle. If you come across SELinux deny messages that look like the following in your /var/log/messages (without the imposed line breaks):
| Code: |
Dec 10 13:56:28 server kernel: audit(1160762188.535:1884): avc: denied { name_connect } for pid=4437 comm="test.pl" dest=80 \
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:http_port_t tclass=tcp_socket
|
Obtaining SELinux Messages
In order to get help with SELinux error messages, you need to get a copy of the messages themselves. There are 2 primary ways to accomplish this: the WebTool and the console.
Console
If you are logged into the console, either via a terminal connection or SSH, then you need to first ensure that you are root. Then you need to change roles to become the sysadm_r user to have access to the necessary log files.
| Code: |
# newrole -r sysadm_r Password: |
Since all the messages are either in /var/log/messages or accessable via dmesg, you can get all the SELinux messages by piping those commands through grep.
| Code: |
# cat /var/log/messages | grep 'avc:' > selinux_messages |
It is likely that you have a lot of messages in the selinux_messages file. You will want to pare down to only those relevant to your issue. The easiest way to do that is to do it by time. If you just executed the application that is causing the problem within the last 30 seconds, remove all messages from the selinux_messages file older than 35 seconds.
WebTool
The WebTool has a built in SELinux console that allows the manipulation of SELinux booleans and even clearing and making use of the ring buffer. In order to take advantage of this feature, perform the following steps. First, log in to the WebTool. Navigate through the System menu to the SELinux Control Console. Click the Launch Audit Monitor button. Then click the Clear Kernel Ring Buffer button.
Now perform the action that is causing the SELinux error messages. Now copy and paste any of the new AVC deny messages that appear in the audit monitor.
Using audit2allow
Another helpful way to present the information that presented to you (especially if you don't know how SELinux policy and its tools very well) is to show the output of audit2allow. The command takes the input of a file with the SELinux deny messages shown above, runs it through an interpreter, and outputs the necessary changes that need to be made to the SELinux Policy. Be careful, these messages may only show the surface problem and may not show the entire problem. So if you are new to hacking on SELinux Policy, make changes with caution.
| Code: |
# audit2allow < selinux_messages allow httpd_t http_port_t:tcp_socket name_connect; |
Getting Help
There are numerous ways to get help when you come across an SELinux issue. You can utilize the EnGarde Secure Linux Forums, the EnGarde Secure Linux Mailing List, or contacting us via IRC (Internet Relay Chat). Whichever method you use, ensure that you include as much pertinent information as possible to allow for those who wish to help, to have the ability to help.
