Sunday, 10 April 2016

Troubleshooting SELinux on CentOS / RHEL / Fedora

We should firstly verify whether SELinux is turned on with:

sestatus

By default SELinux writes to /var/log/audit/audit.log file when it blocks a process.

As this log can get pretty noisy we should probably clear it before-hand to make it a little easier for ourselves:

> /var/log/audit/audit.log

We should now launch the suspected program / process that is being triggered and monitor this file:

tail -f /var/log/audit/audit.log

We can also produce more human readable output with the ausearch tool:

ausearch -m avc --start recent (looks at events from the last hour)

or the last 24 hours with:

ausearch -m avc --start today

If we see something of interest we can install some utilities to help us analyze the logs:

dnf install setroubleshoot setools

This will generate a report explaining to you what process and action has triggered the alert and how can you remidiate it - if we want to add an exception (system wide) in for a function we can use setsebool - for example:

setsebool -P selinuxuser_execheap 1

or better yet we can generate a custom rule for SELinux with the '-M' switch on audit2allow:

cat /var/log/audit/audit.log | audit2allow -a -M myselinuxcustomrules

and then import it with semodule:

semodule -i myselinuxcustomrules.pp

0 comments:

Post a Comment