Portal:SELinux/Troubleshooting

Jump to: navigation, search

Troubleshooting

Moving Files

SELinux types are applied to a file when it is created. When a file is moved, it's type remains the same. A common example of this is if you copy a file to a server with scp to your home directory it will be labeled `user_home_t`. If you wanted to then move that file to `/var/www/html` to be served by a webserver, the file would *not* change it's type to `httpd_file_t`.

This is a feature, to prevent accidentally disclosing information that shouldn't be disclosed!

You can see these types with `ls -lZ`.

To avoid this you can use "mv -Z src dst" to have the files type updated during the move. Alternately after you do the move you can use `restorecon -v dst` to reset the types.


Relabeling your system

Sometimes if things are inconsistent this can lead to a lot of denials in selinux. You should relabel your filesystem in these cases.

You can trigger this with `systemctl start selinux-autorelabel`. This WILL reboot your system.

Investigating Denials

If you can't fix it yourself please open a bug

List SELinux related audit events since boot 

   # ausearch -ts boot -m avc

Intead of "boot" other useful options are "today" or "recent".

Analyze service failure 

   # ausearch -ts recent -m avc -c sshd
   ----
   time->Tue May 18 14:47:47 2021
   type=AVC msg=audit(1621342067.432:82): avc:  denied  { read } for  pid=839 comm="sshd" name="example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1
   ----
   time->Tue May 18 14:47:47 2021
   type=AVC msg=audit(1621342067.432:83): avc:  denied  { open } for  pid=839 comm="sshd" path="/var/yp/binding/example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1
   [...]

The output of that can be piped through audit2why (from policycoreutils-python-utils package) which potentially gives some explanation. In this case the tool recommends turning on a boolean: 

   Was caused by:
   The boolean nis_enabled was set incorrectly. 
   Description:
   Allow nis to enabled
   
   Allow access by executing:
   # setsebool -P nis_enabled 1

Following the instruction to use setsebool would resolve the issue in this case. To get the description of a boolean run semanage (from policycoreutils-python-utils package) and to see the changes a boolean does run sesearch (from setools-console): 

semanage boolean -l | grep nis_enabled

sesearch -A -b nis_enabled

Another example: 

   type=AVC msg=audit(1621342040.556:15): avc:  denied  { watch } for  pid=1 comm="systemd" path="/var/cache/cups" dev="vda2" ino=22stem_r:init_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=dir permissive=1

That one recommends to use audit2allow (from policycoreutils-python-utils package) to produce a new rule.

Using audit2allow

The audit2allow tool uses audit messages to produce rules that can be loaded into SELinux after conversion into the correct format. 

   #============= init_t ==============
   allow init_t cupsd_rw_etc_t:dir watch;
Retrieved from "https://en.opensuse.org/index.php?title=Portal:SELinux/Troubleshooting&oldid=185245"