Selinux
Jump to navigation
Jump to search
Internal
Overview
How to Find Out Whether SELinux is Enabled
getenforce
If SELinux is enabled, the command will return "Enforcing".
Configuration
Install Management and Troubleshooting Tools
yum provides /usr/sbin/semanage yum provides sealert
yum -y install policycoreutils-python yum -y install setroubleshoot-server
Troubleshooting
Get the SELinux Security Context
ls -lZ <dir>
Diagnosing and Fixing SELinux Problems
If you have a suspicion that SELinux may be at the root of your problems, run:
sealert -a /var/log/audit/audit.log
You may get an output similar to the following one, which helps diagnose the problem:
[...] SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock. [...]
Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation.
grep httpd /var/log/audit/audit.log | audit2allow
#============= httpd_t ============== allow httpd_t httpd_log_t:file write;
After you see it, you can write the policy in a file:
grep httpd /var/log/audit/audit.log | audit2allow -M mysepolicy
This will generate two files: a binary .pp file and a text .te file.
Apply the policy with:
semodule -i mysepolicy.pp
The result is similar to:
Then change the directory SELinux security context:
chcon -t httpd_sys_script_rw_t /var/log/httpd
Permission Denied when Trying to Write in a Directory
TODO, rationalize the following content: Media_Wiki_Installation#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27.