Sunday 10 April 2016

Troubleshooting SELinux on CentOS / RHEL / Fedora

We should firstly verify whether SELinux is turned on with:

sestatus

By default SELinux writes to /var/log/audit/audit.log file when it blocks a process.

As this log can get pretty noisy we should probably clear it before-hand to make it a little easier for ourselves:

> /var/log/audit/audit.log

We should now launch the suspected program / process that is being triggered and monitor this file:

tail -f /var/log/audit/audit.log

We can also produce more human readable output with the ausearch tool:

ausearch -m avc --start recent (looks at events from the last hour)

or the last 24 hours with:

ausearch -m avc --start today | audit2why

Most of the time we can use audit2why to help us tweak the SELinux configuration to get things working again - for example I often find that web servers (particularly reverse proxies will often use odd ports for downstream servers)

We can take a few approaches:

1. Change the backend server ports (this is not always possible obviously!)

2. Add the ports in the SELinux module ruleset - we can see existing ports with:

semanage port -l | grep -w "http_port_t"

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

and then add an additional port in with:

semanage port -a -t http_port_t -p tcp 8888

However this is not always possible if the port number is defined elsewhere i.e. in another policy.

3. As a last resort you can tweak the module to disable specific functions - such as allowing the web server to connect to any remote port:

setsebool -P httpd_can_network_connect 1

4. We can also create our own custom policies by installing some utilities to help us analyze the logs:

dnf install setroubleshoot setools

This will generate a report explaining to you what process and action has triggered the alert and how can you remidiate it - if we want to add an exception (system wide) in for a function we can use setsebool - for example:

setsebool -P selinuxuser_execheap 1

or better yet we can generate a custom rule for SELinux with the '-M' switch on audit2allow:

cat /var/log/audit/audit.log | audit2allow -a -M myselinuxcustomrules

and then import it with semodule:

semodule -i myselinuxcustomrules.pp

0 comments:

Post a Comment