Portal:SELinux/Troubleshooting
Troubleshooting
Moving Files
SELinux types are applied to a file when it is created. When a file is moved, it's type remains the same. A common example of this is if you copy a file to a server with scp to your home directory it will be labeled `user_home_t`. If you wanted to then move that file to `/var/www/html` to be served by a webserver, the file would *not* change it's type to `httpd_file_t`.
This is a feature, to prevent accidentally disclosing information that shouldn't be disclosed!
You can see these types with `ls -lZ`.
To avoid this you can use "mv -Z src dst" to have the files type updated during the move. Alternately after you do the move you can use `restorecon -v dst` to reset the types.
Relabeling your system
Sometimes if things are inconsistent this can lead to a lot of denials in selinux. You should relabel your filesystem in these cases.
You can trigger this with `systemctl start selinux-autorelabel`. This WILL reboot your system.
Investigating Denials
If you can't fix it yourself please open a bug
List SELinux related audit events since boot
# ausearch -ts boot -m avc
Intead of "boot" other useful options are "today" or "recent".
Analyze service failure
# ausearch -ts recent -m avc -c sshd ---- time->Tue May 18 14:47:47 2021 type=AVC msg=audit(1621342067.432:82): avc: denied { read } for pid=839 comm="sshd" name="example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1 ---- time->Tue May 18 14:47:47 2021 type=AVC msg=audit(1621342067.432:83): avc: denied { open } for pid=839 comm="sshd" path="/var/yp/binding/example.com.3" dev="vda2" ino=199155 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=file permissive=1 [...]
The output of that can be piped through audit2why (from policycoreutils-python-utils package) which potentially gives some explanation. In this case the tool recommends turning on a boolean:
Was caused by: The boolean nis_enabled was set incorrectly. Description: Allow nis to enabled Allow access by executing: # setsebool -P nis_enabled 1
Following the instruction to use setsebool would resolve the issue in this case. To get the description of a boolean run semanage (from policycoreutils-python-utils package) and to see the changes a boolean does run sesearch (from setools-console):
semanage boolean -l | grep nis_enabled
sesearch -A -b nis_enabled
Another example:
type=AVC msg=audit(1621342040.556:15): avc: denied { watch } for pid=1 comm="systemd" path="/var/cache/cups" dev="vda2" ino=22stem_r:init_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=dir permissive=1
That one recommends to use audit2allow (from policycoreutils-python-utils package) to produce a new rule.
Using audit2allow
The audit2allow tool uses audit messages to produce rules that can be loaded into SELinux after conversion into the correct format.
#============= init_t ============== allow init_t cupsd_rw_etc_t:dir watch;