In this recipe, you will learn how to troubleshoot SELinux policies, which is most often needed when access to some SELinux objects has been denied and you need to find out the reasons for it. In this recipe, we will show you how to work with the sealert tool, which will create human-readable and understandable error messages to work with.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges. It is assumed that you are working through this chapter recipe by recipe, so by now you should have installed the SELinux tools and applied the Working with policies recipe in this chapter, as we will produce some SELinux denial events in order to show you how to use the log file tools.
- To begin, login as root and provoke a SELinux denial event:
touch /var/www/html/test2.html semanage fcontext -a -t user_tmp_t /var/www/html/test2.html restorecon -v /var/www/html/test2.html curl http://localhost/test2.html
- Now, let's generate an up-to-date human readable log file:
sealert -a /var/log/audit/audit.log - In the program's output, you will get a detailed description of any SELinux problem and, at the end of each so called alert, you will even find a suggested solution to fix the problem; in our example, the alert of interest should read (the output is truncated) as shown next:
SELinux is preventing /usr/sbin/httpd from open access on the file /var/www/html/test2.html. /var/www/html/test2.html default label should be httpd_sys_content_t
Here in this recipe, we showed you how easily one can troubleshoot SELinux problems using the sealert program. We started by provoking a SELinux deny access problem by creating a new file in the web root directory and assigning it a wrong context type of value user_tmp_t, which has no access rule defined in the httpd policy. Then, we used the curl command to try and fetch the website and actually produce the Access Vector Cache (AVC) denial message in the SELinux logs. Denial messages are logged when SELinux denies access. The primary source where all SELinux logging information is stored is the audit log file, which can be found at /var/log/audit/audit.log, and easier-to-read denial messages will also be written to /var/log/messages. Here, instead of manually grepping for error messages and combining both log files, we use the sealert tool, which is a convenience program that will parse the audit and messages log file and present valuable AVC content in a human-readable format. At the end of each alert message, you will also find a suggested solution to the problem. Please note that those are auto-generated messages and should always be questioned before applying.