What is SELinux trying to tell me?

The 4 key causes of SELinux errors.

Daniel J Walsh
Principal Software Engineer
Lead SELinux developer
Red Hat

IhavejustcompletedaprojecttosecuretheFedoraInfrastructure,andplanonwritingupwhatwedid
inafutureRedHatMagazineArticle.AftermanyyearsoflookingatSELinuxerrormessagesIhave
foundthatalmostallSELinuxproblemsfallintooneofthefollowingcategories.

LabelingProblems
AconfinedprocessisconfiguredinawaydifferentthenthedefaultSELinux
expected.
BuginPolicyoranApplication.
Yourmachinehasbeencompromised.
Iusethislisttotrytofigureoutwhattheproblemis,whenIamconfrontedwithSELinuxproblem,

Is there a labeling problem?

SELinux==LABELS
WhenusingSELinuxthemostimportantthingtounderstandisSELinuxisallaboutlabels.Every
process,file,directory,deviceonanSELinuxsystemhasalabel.Iftheselabelsarewrongforsome
reasonSELinuxwillnotfunctionproperly.
Ifafileismislabeledaconfinedapplicationmightnotbeallowedaccesstothemislabeledfile.Ifan
executableismislabeled,itmaynottransitiontothecorrectlabelwhenexecuting,causingaccess
violationsandpotentiallycausingittomislabelfilesitcreates.Processesandobjectsonthemachines
havelabels.Ifthelabelingiscorrecteverythingshouldwork.
Sometimesanadminorsoftwaredeveloperdecidestochangethethelocationoffilesusedbya
confineddomain.Forexampleifanadministratorwantstostorewebpagesinaunusuallocation,
/srv/myweb.TheadministratorneedstotelltheSELinuxsystemthatthesefilesneedtobeaccessible
tothewebserverprocess.Hedoesthisbysettingthelabelingcorrectlyinthesystem.Sosincethe
httpdprocessisallowedtoaccessfileslabeledwiththehttpd_sys_content_ttype,heneedstosetthe
label.Onemechanismforthisistousethechconcommand.
#chconRthttpd_sys_content_t/srv/myweb
Thiswillsetthelabelscorrect,howeveryouhavenottoldtheSELinuxsystemtopermanentlylabel
thesefiles/directorieswiththislabel.InsomecircumstancesasystemRelabelcouldchangethese
labelsbacktothedefault.YouusethesemanagecommandtomakepermanentchangestotheSELinux
system.
#semanagefcontextathttpd_sys_content_t'/srv/myweb(/.*)?
ThiscommandtellstheSELinuxdatastorethatthe/src/mywebdirectoryandallfilesunderitshould
belabeledhttpd_sys_content_t.Toolslikerestoreconandrpmreadthisdatastorewhentheyare
labelingorrelabelingfiles.Note,howeverthatthesemanagecommandwillnotchangetheactual
labelsonfilesonyourmachine.Youstillneedtoexecuterestorecontofixthelabels.
#restoreconR/srv/myweb
restoreconreadstheSELinuxdatastoretodeterminehowfilesunder/srv/mywebshouldbelabeled
andthenfixesthem.
#matchpathcon/srv/myweb
ThematchpathconcommandreadstheSELinuxfilecontextfilesandprintsthedefaultlabelforthe
specifiedpath.

YoucanalsousesystemconfigselinuxtosetupyouSELinuxlabeling
Nowifanadministratorcreatesafileunder/srv/myweb,orcopiesafilethere,thefilewill
automaticallygetlabeledhttpd_sys_content_t.Note:Ifyouusethemvcommand,thefilecouldend
upmislabeled.Themvcommandmaintainsthefilecontextofthesrcfile.Soifyoumv'dafilefrom
yourhomedirectories,thefilewouldendupbeinglabeleduser_home_t,andhttpdwouldnotbeableto
readit.Youcanuserestorecontofixthelabel.
Inthepastwehaveseensomeapplicationsthathavemodifiedfilesintheirpostinstallandleftthem
mislabeled.Forexamplethevmwarepackagecopiesthe/etc/servicesfiletothe/tmpdirectory.Itthen
addsaportlinetoit,andmv'sitbackto/etc/.Sincerpmlabelsfilescreatedin/tmpduringpostinstall,
thefilegetslabeledrpm_script_tmp_t,andthemvcommandmaintainsthelabel.Sincenoconfined
domainsareallowedtoreadfileslabeledrpm_script_tmp_t,theconfineddomainsstartbreaking
complainingaboutthislabel.Youcanuserestorecon/etc/servicestofixthelabel.
Therestorecondisadaemonservicethathastheabilitytowatchfilecreationsandmaintaintheirfile
context.Restorecondreadsthe/etc/selinux/restorecond.conffileforalistoffilestowatch,andthenif
thosefilesgetcreatedwiththewrongcontext,restorecondresetsthemtotherightcontext.Happily
restorecondislessimportantasappsandadminsbecomemoreSELinuxaware.Aswemoveto
confineduserappsthough,maintainingthelabelsinausershomedirectorywillbecomemore
important.

Are my confined applications setup differently then the default?

SELinuxhasgottoknow????
Aconfinedprocess/applicationcanberuninmanydifferentways.YouneedtotellSELinuxhowyou
haveconfiguredtheapplicationtorun,andthenSELinuxwillallowittheproperaccess.SELinuxdoes
notdothisautomatically.
SELinuxpolicyhasbuiltinif/then/elserulescalledbooleansthatallowyoutotweakthepredefined
rulestoallowdifferentaccess.OutoftheboxSELinuxpolicyforhttpddoesnotallowittosendmail.
Wedothistopreventacompromisedwebsitefrombecomingaspambox.Butsomeadministrators
mightwanttheirhttpdtosendmaillegitimately.
Soyoucansetthehttpd_can_sendmailbooleantotellSELinuxitisoktoconnecttothemailportorto
executeoneofthecommandsusedtosendmail.
#setseboolPhttpd_can_sendmail1
ThispermanentlychangesSELinuxpolicytoallowhttpdtosendmail.
Toviewallbooleansforhttpyoucanexecute
#semanagebooleanl|grephttp
httpd_can_network_relay>offAllowhttpdtoactasarelay
httpd_can_network_connect_db>offAllowHTTPDscriptsandmodulestoconnecttodatabases
overthenetwork.
httpd_enable_cgi>onAllowhttpdcgisupport
httpd_use_cifs>offAllowhttpdtoaccesscifsfilesystems
allow_httpd_mod_auth_pam>offAllowApachetousemod_auth_pam
allow_httpd_anon_write>offAllowApachetomodifypublicfilesusedforpublicfiletransfer
services.Directories/Filesmustbelabeledpublic_content_rw_t.
httpd_enable_homedirs>onAllowhttpdtoreadhomedirectories
allow_httpd_sys_script_anon_write>offAllowapachescriptstowritetopubliccontent.
Directories/Filesmustbelabeledpublic_content_rw_t.
httpd_dbus_avahi>onAllowApachetocommunicatewithavahiserviceviadbus
httpd_can_sendmail>offAllowhttpdaemontosendmail
httpd_unified>onUnifyHTTPDhandlingofallcontentfiles.
httpd_can_network_connect>offAllowHTTPDscriptsandmodulestoconnecttothenetwork
usingTCP.
allow_httpd_mod_auth_ntlm_winbind>offAllowApachetousemod_auth_pam
httpd_tty_comm>onUnifyHTTPDtocommunicatewiththeterminal.Neededfor
enteringthepassphraseforcertificatesattheterminal.
httpd_use_nfs>offAllowhttpdtoaccessnfsfilesystems
httpd_execmem>offAllowhttpdscriptsandmodulesexecmem/execstack
httpd_builtin_scripting>onAllowhttpdtousebuiltinscripting(usuallyphp)
httpd_ssi_exec>offAllowHTTPDtorunSSIexecutablesinthesamedomainassystem

CGIscripts.
httpd_enable_ftp_server>offAllowhttpdtoactasaFTPserverbylisteningontheftpport.
Toolslikesystemconfigselinuxorgetseboolawilllistallofthepossiblebooleans.
OntheFedora10systemsandneweryoucanrunSELinuxerrormessages(avc)throughaudit2allow
w(audit2why).Thiscommandwillchecktoseeifanybooleancouldbeturnedontoallowtheaccess.
setroubleshootalsoisalsoprettygoodatdiagnosingtheseproblems.
Administratorsmightwanttochangethenetworkportsthataconfinedapplicationisallowedtolisten
on,ortoconnectto.Incertaincasesthereisabooleantoallowtheconnection,likethe
httpd_can_sendmailbooleanallowshttpddaemontoconnecttothemailport.Butinamoregeneral
caseyouneedtotellSELinuxifyouwanttousenondefaultportswithaconfinedapplication.Use
semanagecommandtotellSELinuxwhichportsyouwanttouse.
Ifanadministratordecideshewantstoallowthebinddaemontolistenontcpport54,hewouldneedto
executethefollowingcommand.
#semanageportatdns_port_tptcp54
#semanageportl|grepdns
dns_port_ttcp54,53
dns_port_tudp53
YoucanalsousesystemconfigselinuxtomanageSELinuxnetworkconfiguration.

Is there a bug in SELinux Policy or in a confined application?

SELinux policy and/or applications bugs are out there.
WewriteSELinuxpolicyforaconfineddomainbylookingatwhatapplicationdoesandthenputting
theapplicationorsystemintopermissivemode,collectingtheAVCmessagesandthenupdatethe
policyusingthesemessages.Sometimesanconfinedapplicationisrunwithacodepaththatthepolicy
writerdidnotknowabout,sothepolicydeniestheaccesseventhoughitshouldbeallowed.Whilethe
applicationisworkingcorrectly,SELinuxdeniestheaccess.Afterreportingthistypeofproblemto
supportorasabugzilla,youcanaddcustompolicytoyoursystemsimplybypipingtheSELinuxerror
messagesthroughaudit2allow.SayanewversionofpostgresqlcomesoutthatSELinuxismistakenly
denyingaccesstoaresourcewhichitshouldbeallowedtoaccess.Youcanuseaudit2allowtobuilda
custompolicymodulethatcanbeinstalledonyoursystemtoallowtheaccess.
#greppostgresql/var/log/audit/audit.log|audit2allowRMmypostgresql
Thiscommandwillgeneratealocalpolicymodulewhichwillallowallaccessesthatarecurrently
beingdenied.Itgeneratesafilecalledmypostgresql.tewhichcontainsalloftheallowrules.You
shouldexaminethesebeforeinstallingthemtoattempttomakesureitissafetoinstalltherules.You
canalwaysusetheSELinuxdevelopersmaillistorthefedoraselinuxmaillistforhelpunderstandingif
itissafetoaddtherules.
#semoduleimypostgresql.pp
Thiscommandinstallsthelocalpolicymodificationspermanentlytoyoursystem.Youprobablywant
toreporttheSELinuxerrorstobugzillaoramailinglistsoyourlocalmodificationscanbeaddedtothe
distribution'spolicyorupstream.
Inmanycasesweseebugsinapplications,leakedfiledescriptors,appsattemptingaccessthatthey
reallydonotneed,listingeverydevicein/devforexample.Appsmakingassumptionsaboutrootbeing
allpowerful.Youcanusethecustompolicymodulesdescribedabovetostoptheerrors,butyoureally
needtoreporttheproblem.

Has your machine been compromised?

SELinuxconfinescompromises...
SELinuxisnotanintrusiondetectionsystem,andourtoolsdonotcurrentlydoagreat
jobofdistinguishingbetweenanintrusionandageneralconfiguration,labelingor
SELinuxpolicyerror.Thereareseveraltoolsavailabletodointrusiondetectionand
someusetheSELinuxlogstowatchforintrusions.
SELinuxwilltriggerlotsofAVC'sifanappisactuallycompromisedandtriestodo
somethingitisnotdesignedtodo.SELinuxdevelopmentisplanningmodifying
setroubleshootertolookforcompromisedapplicationssignatures.Currently
SetroubleshootreportsthatallAVC'sthesameway.Oneideaistochange
SetroubleshoottoputupaRedStarandasternwarningwhencertainsignaturesshow
up.
SELinuxhasbeenaroundforawhilenowandthepolicyisprettygood.Ifan
applicationneedsmajorsecurityprivileges,SELinuxpolicyprobablyalreadyallowsit.
IfyouseeAVC'sthatdonotmakesenseorseemtobeanapplicationtryingtochange
securitysettings,yourapplicationmightbecompromised.
Potentialsignaturesofacompromisedconfinedapplication:
ConfinedapplicationshouldnevertrytochangeSELinuxenforcement.
Thisincludeschangingtheenforcementmodeortrytowriteto/etc/selinux
Settingbooleanswouldalsobeaverystrangethingforaconfinedapplication
todo.
Confinedapplicationshouldnottrytomodifythekernel
loadkernelmodules
Writetokerneldirectories
Writetobootloaderorimagedirectories
Confinedshouldnotbeattemptingtowritetofileslabeledetc_t(/etc),Sincea
confineddomainthatcanwritetoetc_twouldbeabletooverwritepasswd_t.
Confinedapplicationsshouldnotbeattemptingtowritetosecurityconfiguration
files,Forexamplecertificates,kerberosfiles,mostconfigurationdata.
Mostconfinedapplicationsshouldnotbeattemptingtowritetoshadow_torin
mostcasesreadingshadow_t.
Confinedapplicationsshouldnotbetryingtooverwritelogfiles.Especiallyifthe

logfilehasnothingtodowiththeapplication.
Mostconfinedapplicationsshouldnotbetryingtoreadfilesintheusershome
directories(user_home_t).Thisiswherethegoodstuffis
Confinedapplicationshouldnotsuddenlyattempttoconnecttorandomnetwork
portsthatdonotmakesense.SpamBotswilltrytoconnecttothemailport.
Confinedapplicationtryingtoexecutemailprogramsorconnecttothemailports,
whentheywerenotsetuptosendmail.Mostcrackerstrytograbmachinetoset
themupasSpamBots,sonorootaccessrequired.

Thesemightbeabug,butthedamagethatcouldbedoneistwosignificanttoignore.
Ifyouseesomethingliketheabove,gethelpindiagnosingtheAVCmessages.Useopen
sourcemaillistliketheselinuxlistofthefedoraselinuxlisttoaskforhelp.