Open Source Software and Linux

Nov 5 2008   2:56PM GMT

Maintaining your sanity with SELinux

John Little Profile: Xjlittle

Yes I know..everyone wants to turn off selinux. The Notes Domino people even tell you to turn off selinux before installing Domino. While this is probably a good idea for them in normal server cases it is maybe not such a good idea under normal circumstances. SeLinux is another excellent layer to protecting your system along with iptables and hosts.all and hosts.deny. Keeping a few things in mind will help you maintain your sanity while using selinux.

First up are the /var/log/audit/audit.log, /var/log/security and /var/log/messages. If selinux is set to enforcing and you’ve just installed a new application or created a file or directory that is not allowing proper access these three files are the place to go. Before you do this make sure the following applications are installed:

After installing these make sure that you start the setroubleshoot application and set it to start on reboot:

/etc/init.d/setroubleshoot start
Starting setroubleshootd: [ OK ]
chkconfig setroubleshoot on

Watch the logs in real time as you attempt to access the application, file or directory like this:

cd /var/logs
tail -f security audit/audit.log messages

After doing this hit enter three times to give you some white space between the old messages and the new ones that are generated. If selinux is giving you a problem you will see something like the following in the messages log:

Nov 5 08:18:44 centos5-dev setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37

To find out not only what is going on but how to fix it run the sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37 command described in the message.

[root@centos5-dev ~]# sealert -l d102b5a4-ac6f-470f-aa34-55ac37dafa37


SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context system_u:system_r:hplip_t
Target Context system_u:object_r:file_t
Target Objects [ lnk_file ]
Source Path /bin/env
Source RPM Packages coreutils-5.97-14.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name file
Host Name
Platform Linux
2.6.18-92.1.10.el5xen #1 SMP Tue Aug 5 08:46:32
EDT 2008 i686 athlon
Alert Count 3
First Seen Wed Nov 5 08:18:39 2008
Last Seen Wed Nov 5 08:18:39 2008
Local ID d102b5a4-ac6f-470f-aa34-55ac37dafa37
Line Numbers

Raw Audit Messages type=AVC msg=audit(1225891119.851:12): avc: denied { read } for pid=2634 comm="" name="" dev=dm-0 ino=1547246 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1225891119.851:12): arch=40000003 syscall=5 success=no exit=-13 a0=b7fb2b4b a1=0 a2=bfd8a2b4 a3=8 items=0 ppid=2633 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="" exe="/bin/env" subj=system_u:system_r:hplip_t:s0 key=(null)
[root@centos5-dev ~]#

The part that we are interested in is under the above heading Allowing Access: You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

When we run this command this will fix our problem. Note that these problems could run from accessing html pages to allowing a public web directory in your home directory.

Next up we have the command:

chcon --reference

Lets say you are using your localhost as your web server. You decide that you want to add some virtual hosts. You then add the virtual host directories outside of the normal /var/www/html directory. You build your virtual hosts but now you can’t access them. Watching your messages you see that this is definitely an selinux problem. Using the above command we can fix our problem like this:

chcon --reference /var/www/html /srv/www/vhosts #This will fix the selinux properties on the root directory of the virtual hosts
chcon -- reference /var/www/html/* /srv/www/vhosts/* # This will fix the properties on the files in case they are different from the directory

This code references the contexts of the given files or directories and applies them to the new files and directories. Now every time that you add a file or directory under /srv/www/vhosts it will get the proper selinux context.

The last way that we are going to discuss is restorecon. Taking the above scenario under either of the directories you find that some files or directories did not pick up the correct context or maybe none at all. Easy enough to fix:

restorecon /var/www/html

The reason this works is because the restorecon looks at the current contexts of the other files and directories and applies that context to the ones with the incorrect or no context.

There you have it. Keep your sanity and still use SELinux.


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: