Selinux

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

How to Find Out Whether SELinux is Enabled

getenforce

If SELinux is enabled, the command will return "Enforcing".

Configuration

Install Management and Troubleshooting Tools

yum provides /usr/sbin/semanage
yum provides sealert

yum -y install policycoreutils-python
yum -y install setroubleshoot-server

Troubleshooting

Diagnosing and Fixing SELinux Problems

If you have a suspicion that SELinux may be at the root of your problems, run: 

sealert -a /var/log/audit/audit.log

You may get an output similar to the following one, which helps diagnose the problem: 

[...]
SELinux is preventing /usr/sbin/httpd from write access on the file manager.node.nodes.lock.
[...]

Then use audit2allow to parse the audit logs and generate the SELinux policy to allow a denied operation. 

grep httpd /var/log/audit/audit.log | audit2allow

The result is similar to: 

#============= httpd_t ==============
allow httpd_t httpd_log_t:file write;

Permission Denied when Trying to Write in a Directory

TODO, rationalize the following content: Media_Wiki_Installation#Fails_to_upload_images_with_.27Fatal_exception_of_type_.22MWException.22.27.

Retrieved from "https://kb.novaordis.com/index.php?title=Selinux&oldid=1243"