11.2. Top Three Causes of Problems
The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
11.2.1. Labeling Problems
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. An incorrectly labeled application may cause an incorrect label to be assigned to its process. This may cause SELinux to deny access, and the process may create mislabeled files.
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using
/var/www/html/
for a website, an administrator wants to use /srv/myweb/
. On Red Hat Enterprise Linux, the /srv
directory is labeled with the var_t
type. Files and directories created in /srv
inherit this type. Also, newly-created objects in top-level directories (such as /myserver
) may be labeled with the default_t
type. SELinux prevents the Apache HTTP Server (httpd
) from accessing both of these types. To allow access, SELinux must know that the files in /srv/myweb/
are to be accessible to httpd
:
~]#
semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
This
semanage
command adds the context for the /srv/myweb/
directory (and all files and directories under it) to the SELinux file-context configuration[8]. The semanage
utility does not change the context. As root, run the restorecon
utility to apply the changes:
~]#
restorecon -R -v /srv/myweb
See Section 4.7.2, “Persistent Changes: semanage fcontext” for further information about adding contexts to the file-context configuration.
11.2.1.1. What is the Correct Context?
The
matchpathcon
utility checks the context of a file path and compares it to the default label for that path. The following example demonstrates using matchpathcon
on a directory that contains incorrectly labeled files:
~]$
matchpathcon -V /var/www/html/*
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
In this example, the
index.html
and page1.html
files are labeled with the user_home_t
type. This type is used for files in user home directories. Using the mv
command to move files from your home directory may result in files being labeled with the user_home_t
type. This type should not exist outside of home directories. Use the restorecon
utility to restore such files to their correct type:
~]#
restorecon -v /var/www/html/index.html
restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
To restore the context for all files under a directory, use the
-R
option:
~]#
restorecon -R -v /var/www/html/
restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
See Section 4.10.3, “Checking the Default SELinux Context” for a more detailed example of
matchpathcon
.
11.2.2. How are Confined Services Running?
Services can be run in a variety of ways. To cater for this, you need to specify how you run your services. This can be achieved through Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated using the
semanage
command.
For example, to allow the Apache HTTP Server to communicate with MariaDB, enable the
httpd_can_network_connect_db
Boolean:
~]#
setsebool -P httpd_can_network_connect_db on
If access is denied for a particular service, use the
getsebool
and grep
utilities to see if any Booleans are available to allow access. For example, use the getsebool -a | grep ftp
command to search for FTP related Booleans:
~]$
getsebool -a | grep ftp
ftpd_anon_write --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_nfs --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off
For a list of Booleans and whether they are on or off, run the
getsebool -a
command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l
command as root. See Section 4.6, “Booleans” for information about listing and configuring Booleans.
Port Numbers
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the
semanage port -l | grep http
command as root to list http
related ports:
~]#
semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118 http_cache_port_t udp 3130 http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
The
http_port_t
port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures httpd.conf
so that httpd
listens on port 9876 (Listen 9876
), but policy is not updated to reflect this, the following command fails:
~]#
systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: failed (Result: exit-code) since Thu 2013-08-15 09:57:05 CEST; 59s ago Process: 16874 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS) Process: 16870 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
An SELinux denial message similar to the following is logged to
/var/log/audit/audit.log
:
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
To allow
httpd
to listen on a port that is not listed for the http_port_t
port type, enter the semanage port
command to add a port to policy configuration[9]:
~]#
semanage port -a -t http_port_t -p tcp 9876
The
-a
option adds a new record; the -t
option defines a type; and the -p
option defines a protocol. The last argument is the port number to add.
11.2.3. Evolving Rules and Broken Applications
Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving – SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed.
For these situations, after access is denied, use the
audit2allow
utility to create a custom policy module to allow access. See Section 11.3.8, “Allowing Access: audit2allow” for information about using audit2allow
.
[8]
Files in
/etc/selinux/targeted/contexts/files/
define contexts for files and directories. Files in this directory are read by the restorecon
and setfiles
utilities to restore files and directories to their default contexts.
[9]
The
semanage port -a
command adds an entry to the /etc/selinux/targeted/modules/active/ports.local
file. Note that by default, this file can only be viewed by root.