mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
Update modules/ROOT/pages/troubleshooting_selinux.adoc
Updated page ready for PR
This commit is contained in:
parent
6f7712295e
commit
a29b6119bd
1 changed files with 3 additions and 74 deletions
|
@ -1,82 +1,9 @@
|
||||||
ifdef::context[:parent-context: {context}]
|
|
||||||
:context: prod_troubleshooting_selinux
|
|
||||||
|
|
||||||
[id='prod_troubleshooting_selinux']
|
|
||||||
= Troubleshooting SELinux
|
|
||||||
|
|
||||||
This document covers the basics of troubleshooting SELinux.
|
|
||||||
|
|
||||||
SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. For example, an SELinux error generated by the Apache web server may appear as `comm="/usr/sbin/httpd"`.
|
|
||||||
|
|
||||||
Each error message includes information on the source context (`scontext`) of that part of your system performing an action, and the target context (`tcontext`), the target of the action. In many cases, the source is a binary and the target a file.
|
|
||||||
|
|
||||||
== Understanding Denials
|
|
||||||
When SELinux prevents any software from accessing a particular resource, for example, when *Firefox* is denied access to `/etc/shadow`, it generates a message and logs it in `/var/log/audit/audit.log` or `/var/log/messages` if *audit* service is disabled. If the log contains `avc: denied` that means it is an SELinux policy denial. Note that you would need administrator privileges (root access) on your system to be able to read this log file. An example denial would look like:
|
|
||||||
-----
|
|
||||||
type=AVC msg=audit(1214965667.121:635): avc: denied { unix_read unix_write } for pid=15524 comm="npviewer.bin"
|
|
||||||
key=59918130 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
|
|
||||||
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s
|
|
||||||
-----
|
|
||||||
== Using the setroubleshoot utility
|
|
||||||
|
|
||||||
*setroubleshoot* is a utility that parses the messages from SELinux and provides comprehensive help on what it means and possible actions to take. It has both a graphical utility for your desktop and a server side component that can send email alerts. It is installed by default on Fedora. To install it on your system, use the *Software* tool in GUI or enter the following command:
|
|
||||||
-----
|
|
||||||
$ sudo dnf install setroubleshoot
|
|
||||||
-----
|
|
||||||
|
|
||||||
To start the program, run the following command:
|
|
||||||
-----
|
|
||||||
$ sealert
|
|
||||||
-----
|
|
||||||
|
|
||||||
You can find recent alerts in the browser that appears.
|
|
||||||
|
|
||||||
To troubleshoot an error, click the *troubleshoot* button in the SELinux Alert browser. The browser will return available options for resolving the error and commands to run to fix the problem.
|
|
||||||
|
|
||||||
[NOTE]
|
|
||||||
====
|
|
||||||
Some troubleshooting events can be resolved by enabling a boolean switch policy. This will allow the activity to procede in the future, regardless of SELinux enforcing policy. It is not recommended to utilize booleans without fully understanding the issue. For more information on booleans, see the link:https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html[Booleans] chapter in the SELinux User's and Administrator's Guide.
|
|
||||||
====
|
|
||||||
|
|
||||||
|
|
||||||
////
|
|
||||||
include::modules/con-troubleshooting-selinux-overview.adoc[leveloffset=+1]
|
|
||||||
|
|
||||||
include::modules/con-troubleshooting-selinux-access-is-denied.adoc[leveloffset=+2]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_top_three_causes_of_problems.adoc[leveloffset=+1]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_fixing_problems.adoc[leveloffset=+1]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_searching_viewing_denials.adoc[leveloffset=+2]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_disabling_permissive_domains.adoc[leveloffset=+2]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_raw_audit_messages.adoc[leveloffset=+1]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_sealert_messages.adoc[leveloffset=+2]
|
|
||||||
|
|
||||||
include::modules/con_troubleshooting_selinux_allowing_access_audit.adoc[leveloffset=+1]
|
|
||||||
|
|
||||||
include::modules/proc_troubleshooting_selinux_allowing_access_audit.adoc[leveloffset=+2]
|
|
||||||
////
|
|
||||||
|
|
||||||
== Additional Resources
|
|
||||||
|
|
||||||
* link:https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Troubleshooting.html[Troubleshooting] in the SELinux User's and Administrator's Guide
|
|
||||||
|
|
||||||
* link:https://fedorapeople.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf[Four Key Causes of SELinux Errors]
|
|
||||||
|
|
||||||
|
|
||||||
ifdef::parent-context[:context: {parent-context}]
|
|
||||||
ifndef::parent-context[:!context:]
|
|
||||||
|
|
||||||
= Troubleshooting problems related to SELinux
|
= Troubleshooting problems related to SELinux
|
||||||
:toc:
|
:toc:
|
||||||
|
|
||||||
If you plan to enable SELinux on systems where it has been previously disabled or if you run a service in a non-standard configuration, you might need to troubleshoot situations potentially blocked by SELinux. Note that in most cases, SELinux denials are signs of misconfiguration.
|
If you plan to enable SELinux on systems where it has been previously disabled or if you run a service in a non-standard configuration, you might need to troubleshoot situations potentially blocked by SELinux. Note that in most cases, SELinux denials are signs of misconfiguration.
|
||||||
|
|
||||||
=== Identifying SELinux denials
|
== Identifying SELinux denials
|
||||||
|
|
||||||
Follow only the necessary steps from this procedure; in most cases, you need to perform just step 1.
|
Follow only the necessary steps from this procedure; in most cases, you need to perform just step 1.
|
||||||
|
|
||||||
|
@ -375,3 +302,5 @@ SELinux denied the `__httpd__` process with PID 2465 to access the `__/var/www/h
|
||||||
|
|
||||||
* Basic SELinux Troubleshooting in CLI
|
* Basic SELinux Troubleshooting in CLI
|
||||||
* What is SELinux trying to tell me? The 4 key causes of SELinux errors
|
* What is SELinux trying to tell me? The 4 key causes of SELinux errors
|
||||||
|
* link:https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Troubleshooting.html[Troubleshooting] in the SELinux User's and Administrator's Guide
|
||||||
|
* link:https://fedorapeople.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf[Four Key Causes of SELinux Errors]
|
||||||
|
|
Loading…
Reference in a new issue