SELinux: When permissions go rogue

Here is a scenario to demonstrate troubleshooting SELinux permission issue :

We have configured a webserver from the directory : /lab-content/lab.html  but cant access it : 


403 Forbidden error indicates that the server understands the request but can't provide the access.

1. We want to know what is causing the issue - first rescue is seeing the logs : /var/log/messages

use either tail -f /var/log/messages or better use  less /var/log/messages

tail -f means to read the log file as it gets updated in real time whereas less is used to read large log file one page at a time ( you might need to press space key to go to next page for the above issue logs

We get a lot of clues for our next tasks in /var/log/messages :


a. We got the cause of the issue :SELinux is preventing a process from accessing a file or directory

b. The file or dir is /lab-content/lab.html 

c. We got another clue to run the sealert command to get complete info about the SELinux error

{{{{{{  policycoreutils-python-utils & setroubleshoot-server package provides the diagnostic tools for identifying and resolving security issues. When SELinux blocks an action, an Access Vector Cache (AVC) message is recorded in the /var/log/audit/audit.log security log file. The SELinux troubleshooting service continuously monitors for AVC events and generates an event summary in the /var/log/messages file. }}}}}


2. Run the advised sealert command with the event UUID :


You will see more related important info there : scroll down :


Ponder over source context and target context , Policy Type, Enforcing mode , RAW audit messages etc.

You can use the ausearch (which  is a tool that can query the audit daemon logs based for events ) to check the RAW audit messages you see above: 


the command ausearch -m AVC -ts recent effectively narrows down the search to only include AVC events that have occurred recently.

3. Now we can compare the lab-content http document dir with the original /var/www/html document dir to identify what context we are lacking which is causing our issue :


So, we get to know that we have to change default context to httpd_sys_content_t  which is specifically intended for apache web content dir context.

4. Change the context using semanage fcontext command :

It is a tool to manage SELinux file contexts, specifically adding a new file context rule. The -a flag indicates that a new rule is being added, while  -t httpd_sys_content_t  specifies the type to be associated. 

The '/lab-content(/.*)?' -  effectively sets the default type to 'httpd_sys_content_t' for all files and subdirectories within the '/lab-content' directory.

restorecon -R /lab-content/ command employs the restorecon tool to recursively apply the updated file context rules to the '/lab-content' directory and its subdirectories. The -R flag indicates that the operation should be performed recursively, ensuring that the new file context is applied to all files and subdirectories within the specified path :


DONE !!   Once the correct SELinux context is set  - website should be accessible :



SELinux: The Dark Knight of Linux Security : A Silent Guardian , A watchful Protector !!


Refer : 

3 Replies
Starfighter Starfighter

Chetan -

What a very nice article!!!

Loved that it included those commands that a discovery and recovery
mission would not be complete without:
- sealert
- ausearch
- semanage
- restorecon

As I started my reading of the article, I was wondering if
ausearch would appear, and sure enough it did.

As your article already mentioned:

        ausearch - a tool to query audit daemon logs  

A few days ago, I was exploring what SELinux does in terms of logging
AVCs when it's in permissive mode vs enforcing mode, and of course I
had to use our friend ausearch.  

ausearch has several options that can be applied, but one that will almost
always be applied will be -m.  The information  that is attached to the -m
option makes refereence to a message type (aka record type).  

So many examples that demonstrate ausearch -m, specify the AVC
message type only.  However, there are many message types that can be
specified when the -m option is used - 188 different message types to be
specific. To view these message types, simply execute the command:

                   ausearch -m

If examples were to be illustrated for all the options that can
be used with ausearch, that would require an article all by itself.

If you love troubleshooting, having to discover what is causing an issue
in SELinux, and then recover from that issue, can provide a lot of enjoyment
and excitement!!



Trevor "Red Hat Evangelist" Chandler

Thanks @Trevor for your valuable insights. You are right about many message types which can be used with the -m option. 


#ausearch -m USER_LOGIN -ts '11/24/2023' '18:00:00' -sv no

To search for all account, group, and role changes, use the following command:


0 Kudos

Also, here is one important lesson from Daniel J Walsh, Lead SELinux developer :

"SELinux relies heavily on labeling to enforce security policies. Every process, file, directory, and device on an SELinux system is assigned a label that defines its security context. If these labels are incorrect, SELinux may not function properly, leading to unexpected access restrictions or security vulnerabilities. For instance, a mislabeled file could prevent a confined application from accessing it. Similarly, a mislabeled executable might not transition to the correct label when executed, resulting in access violations and potentially mislabeling the files it creates. Therefore, ensuring accurate labeling is crucial for optimal SELinux operation."

Another useful thing :

To correctly label the files and directories under a directory path, you can use the chcon command. However, this will only change the labels temporarily. To make the changes permanent, you need to use the semanage fcontext command. This command instructs the SELinux data store to associate the  directory and all its subdirectories with the desired SELinux context label.

The semanage fcontext command doesn't immediately update the labels on your system's files. To apply the new labeling rules, you need to run the restorecon command, which will read the SELinux data store and update the labels accordingly.

The matchpathcon command can be used to determine the default label for a specified path. For example, running matchpathcon /srv/myweb would display the default label for the /srv/myweb directory.

0 Kudos
Join the discussion
You must log in to join this conversation.