5.2. Analyzing SELinux denial messages

Procedure

1. List more details about a logged denial using the sealert command, for example:

   $ sealert -l "*"
   SELinux is preventing /usr/bin/passwd from write access on the file
   /root/test.
   
   *****  Plugin leaks (86.2 confidence) suggests *****************************
   
   If you want to ignore passwd trying to write access the test file,
   because you believe it should not need this access.
   Then you should report this as a bug.
   You can generate a local policy module to dontaudit this access.
   Do
   # ausearch -x /usr/bin/passwd --raw | audit2allow -D -M my-passwd
   # semodule -X 300 -i my-passwd.pp
   
   *****  Plugin catchall (14.7 confidence) suggests **************************
   
   ...
   
   Raw Audit Messages
   type=AVC msg=audit(1553609555.619:127): avc:  denied  { write } for
   pid=4097 comm="passwd" path="/root/test" dev="dm-0" ino=17142697
   scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
   tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
   
   ...
   
   Hash: passwd,passwd_t,admin_home_t,file,write

2. If the output obtained in the previous step does not contain clear suggestions:

   • Enable full-path auditing to see full paths to accessed objects and to make additional Linux Audit event fields visible:

     # auditctl -w /etc/shadow -p w -k shadow-write

   • Clear the setroubleshoot cache:

     # rm -f /var/lib/setroubleshoot/setroubleshoot.xml

   • Reproduce the problem.

   • Repeat step 1.

     After you finish the process, disable full-path auditing:

     # auditctl -W /etc/shadow -p w -k shadow-write

3. If sealert returns only catchall suggestions or suggests adding a new rule using the audit2allow tool, match your problem with examples listed and explained in SELinux denials in the Audit log.