Troubleshooting SELinux explained with Booleans

SELinux is a security module. If enabled, it processes all system calls through the SELinux policies. You can enable it in two modes: enforcing and permissive. In the enforcing mode, it logs and processes all system calls through the SELinux policies. In the permissive mode, it only logs. It does not block any system call in the permissive mode.

In permissive and enforcing modes, SELinux logs all access requests. If the auditd daemon is running, it writes logs in the /var/log/audit/audit.log file. If not, it adds logs to the /var/log/messages file. It assigns a type=AVC (Access Vector Cache) tag to all logs. This tag lets you filter and identify SELinux logs. For example, the following command displays all SELinux logs from the /var/log/audit/audit.log file.

#grep AVC /var/log/audit/audit.log

grep avc

You can also redirect all logs to a text file for further troubleshooting.

#grep AVC /var/log/audit/audit.log > selinux-log-file-name

redirect selinux messages

Understanding SELinux logs

A SELinux log message includes the following parts.

  • The first part defines the message type. The type for all SELinux logs is AVC. You can use it to filter all SELinux log messages.
  • The second part provides a unique identity to the log message. It includes the daemon type and an ID. The ID is unique for each log message. It allows you to find and view a specific log message.
  • The third part tells the action and user or process that caused this log message. A denied keyword in this field indicates an action blocked by the SELinux policy. It also shows the user or processes who started the task.
  • The fourth part tells the command the user or process used to access the file.
  • The fifth part shows the targeted file path.
  • The sixth part shows the device name where the targeted file is available.
  • The seventh part shows the security context of the process or user who accessed the targeted file.
  • The eighth part shows the security contexts of the targeted file.
  • The ninth part shows the class of the targeted file.
  • The last part tells the SELinux mode.
Example

The following command displays the first SELinux message from the audit.log file.

#grep AVC /var/log/audit/audit.log | tail -n1

selinux message parts

type=AVC

It is a SELinux security log message.

msg=audit(1748965465.168.241)

The audit daemon is running and used to record this message. The 748965465.168.241 is the unique ID of this message in this file.

avc: denied {getattr} for pid=6439

A denied action for the process ID 6439 caused this message.

comm="httpd"

It indicates the command or process that executed the action.

path="/webroot/test3.html

It is the target file. The httpd process tried to read this file, but SELinux blocked the request.

dev="dm=0"

It is the disk where this incident happened.

scontext=system_u:system_r:httpd_t:s0

These are the SELinux security context of the source (httpd). SELinux uses security contexts to allow or deny access requests.

tcontext=unconfined_u:object_r:defualt_t:s0

These are the SELinux security context of the destination or targeted file.

tclass=file

It is the class of the targeted file or process.

permissive=0

SELinux is running in the enforming mode.

The sealert command

SELinux saves logs in raw text format. If you find the raw text format difficult to read and understand, you can use the sealert command. It formats the SELinux logs in easy to understand and straightforward format. It analyzes SELinux denial messages and examines audit data to identify the potential cause of the rejection. It performs this analysis and examination in the background. It displays the results with recommendations on how to fix it. You can use these to troubleshoot and fix SELinux-related issues. However, it is not part of the default installation. You must install it before you can use it. The following command installs it.

#dnf install  setroubleshoot-server

After installing it, use the following command to view all SELinux alerts and their possible solutions.

#sealert -a /var/log/audit/audit.log

the sealert command

This tutorial is part of the tutorial " SELinux Explained with Examples.". Other parts of this tutorial are as follows:

Chapter 1  Basic concepts and fundamentals of SELinux
Chapter 2  SELinux and AppArmor Differences and Terminology
Chapter 3  SELinux Modes Explained with Examples
Chapter 4  SELinux Contexts for Users, Processes, and Files
Chapter 5  Copying, Moving, and Archiving Files with SELinux Contexts
Chapter 6  SELinux Explained with Examples in Easy Language
Chapter 7  SELinux Booleans Explained with Examples
Chapter 8  Troubleshooting SELinux explained with Booleans

conclusion

SELinux protects files and directories from unauthorized access. If enabled, all access requests go through the SELinux policies. SELinux logs each access request before processing it. Analyzing and understanding SELinux logs is essential for all Linux system administrators. This tutorial explained how SELinux saves access logs and how to read them from troubleshooting and debugging the system.

ComputerNetworkingNotes Linux Tutorials Troubleshooting SELinux explained with Booleans

We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com