Selinux

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

How to Find Out Whether SELinux is Enabled

getenforce

If SELinux is enabled, the command will return "Enforcing".

Configuration

Install Management and Troubleshooting Tools

yum provides /usr/sbin/semanage
yum provides sealert
yum -y install policycoreutils-python
yum -y install setroubleshoot-server

Troubleshooting

Diagnose SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run:

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed write access on the manager.node.nodes.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

[...]

Permission Denied when Trying to Write in a Directory

TODO, rationalize the following content: Media_Wiki_Installation#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27.