Chapter 7. Troubleshooting

Chapter 7. Troubleshooting

7.1. What Happens when Access is Denied
7.2. Top Three Causes of Problems
7.2.1. Labeling Problems
7.2.2. How are Confined Services Running?
7.2.3. Evolving Rules and Broken Applications
7.3. Fixing Problems
7.3.1. Linux Permissions
7.3.2. Searching For and Viewing Denials
7.3.3. Raw Audit Messages
7.3.4. sealert Messages
7.3.5. Manual Pages for Services
7.3.6. audit2allow

The following sections...

7.1. What Happens when Access is Denied

SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also know as "AVC denials", and are logged to a different location, depending on which daemons are running:

DaemonLog Location
auditd on/var/log/audit/audit.log
auditd off; rsyslogd on/var/log/messages
setroubleshootd, rsyslogd, and auditd on/var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages

If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd daemon running, a yellow star and a warning are displayed when access is denied by SELinux:

Clicking on the star presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browing your website may receive an error similar to the following:

Forbidden

You don't have permission to access file name on this server

For these situations, if DAC rules (standard Linux permissions) allow access, check /var/log/messages and /var/log/audit/audit.log for SELinux is preventing and avc: denied errors respectively. This can be done by running the following commands as the Linux root user:

grep "SELinux is preventing" /var/log/messages

grep "avc: denied" /var/log/audit/audit.log