红帽全球峰会7.2. Using the command-line assistant to troubleshoot SELinux issues
You can troubleshoot SELinux issues by using the command-line assistant. The example troubleshooting process demonstrates the diagnostic capabilities of the command-line assistant.
Prerequisites
- You have enabled the command-line assistant.
- You have root access to your system.
Procedure
On your terminal, enter the following command to list the
httpdpackage version that you have installed in your system:$ sudo rpm -qa httpd httpd-2.4.62-2.fc40.x86_64Query all
httpdpackages:$ sudo rpm -qa httpdIdentify the ports on which the web server accepts incoming requests:
$ cat /etc/httpd/conf/httpd.conf | grep Listen # Listen: Allows you to bind Apache to specific IP addresses and/or # Change this to Listen on a specific IP address, but note that if #Listen 12.34.56.78:80 Listen 80Restart the
httpdservice:$ systemctl restart httpd Job for httpd. Service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.Run the
journalctlcommand for more details on the failed service:$ sudo journalctl -xeu httpd.service
Use the command-line assistant to troubleshoot the issue and ask why the service is failing:
$ sudo c "why did httpd fail to start"Ask the command-line assistant about the
selinux httpdport:$ c "selinux httpd port"The assistant advises using the
sestatuscommand to check the current SELinux status and the content of the httpd services with the following command:$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33View the specific SELinux policy for the httpd services by running the following command:
$ sudo cat /usr/share/selinux/targeted/contexts/httpd_var_run_t No such file or directoryAsk the command-line assistant about contexts.
$ c "i don't have a httpd_var_run_t contexts"The command-line assistant takes some time to process the request, then provides several possible suggestions.
The assistant says that you might not have context and need to set it with the following command:
$ sudo chcon -R -t httpd_var_run_tAsk the CLA about the port:
$ c "selinux won't let httpd listen on port 12345"Try the following suggestion, run the command:
$ sudo semanage port -a -t httpd_port_t -p tcp 12345 ValueError: Type httpd_port_t is invalid, must be a port typeAsk the CLA about the error you see in the output:
$ c "how do I fix ValueError: Type httpd_port_t is invalid, must be a port type"
Run the steps provided by the CLA:
$ sudo ls -Z /usr/sbin/httpd system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd $ chcon -t httpd_exec_t /usr/sbin/httpd $ sudo setenforce 1Restart the
httpdservice and check the status ofhttpd.service:$ sudo systemctl restart httpd Job failed $ sudo systemctl status httpd.service Failed to start the Apache Server
Ask the CLA how to enable
httpdto listen onport12345:$ c "how do I enable httpd to listen on port 12345 selinux"Run the command advised by the CLA:
$ sudo setsebool -P httpd_can_network_connect=1
Restart the
httpdservice and check the status ofhttpd.serviceagain:$ sudo systemctl status httpd $ sudo systemctl restart httpd Job failed, see journalctlCheck the
journalctlservice:$ journalctl -xeu httpd Output: An ExecStart= process belonging to unit httpd.service has exited.Use the output to ask the CLA to troubleshoot:
$ c "An ExecStart= process belonging to unit httpd.service has exited."Run the command that the CLA responds with:
$ sudo ausearch -m AVC,USER_AVC -ts recent Output: "avc: denied {name_bind} for pid=7184 comm="httpd" src=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r: unreserved_port_t:s0 tclas=tcp_socket permissive=0"Copy the output of the previous command:
$ sudo c "avc: denied {name_bind} for pid=7184 comm="httpd" src=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r: unreserved_port_t:s0 tclas=tcp_socket permissive=0"Run the following command to resolve the error “SELinux is preventing Apache Server (httpd) from binding to port 12345".
$ sudo semanage port -a -t http_port_t -p tcp 12345
Verification
Restart the httpd service and check the status of
httpd.service:$ sudo systemctl restart httpd No error $ sudo systemctl status httpd.serviceThe server is configured, up and running, and listening on
port 443,port 12345.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}