Viewing setroubleshoot messages

Whenever something happens that violates an SELinux rule, it gets logged in the /var/log/audit/audit.log file. Tools are available that can let you directly read that log, but to diagnose SELinux problems it's way better to use setroubleshoot. The beauty of setroubleshoot is that it takes cryptic, hard-to-interpret SELinux messages from the audit.log file and translates them into plain, natural language. The messages that it sends to the /var/log/messages file even contain suggestions about how to fix the problem. To show how this works, let's go back to our problem where a file in the /var/www/html directory has been assigned the wrong SELinux type. Of course, we knew right away what the problem was because there was only one file in that directory and a simple ls -Z showed what was wrong with it. However, let's ignore that for the moment and say that we didn't know what the problem was. By opening the /var/log/messages file in less and searching for sealert, we'll find this message:

Nov 26 21:30:21 localhost python: SELinux is preventing httpd from open access on the file /var/www/html/index.html.#012#012*****  Plugin restorecon (92.2 confidence) suggests   ************************#012#012If you want to fix the label. #012/var/www/html/index.html default label should be httpd_sys_content_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /var/www/html/index.html#012#012*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************#012#012If you want to allow httpd to read user content#012Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean.#012#012Do#012setsebool -P httpd_read_user_content 1#012#012*****  Plugin catchall (1.41 confidence) suggests   **************************#012#012If you believe that httpd should be allowed open access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

The first line of this message tells us what the problem is. It's saying that SELinux is preventing us from accessing the /var/www/html/index.html file because it's set with the wrong type. It then gives us several suggestions on how to fix the problem, with the first one being to run the restorecon command, as I've already shown you how to do.

A good rule-of-thumb to remember when reading these setroubleshoot messages is that the first suggestion in the message is normally the one that will fix the problem.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.102.225