Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: Diagnose & Address Routine SELinux Policy Violations
Diagnose & Address Policy Violations
To diagnose a policy violation you need to search for AVC
messages within /var/log/audit/audit.log
. If you have been following along with the course we can search for a violation linked to lesson Manage SELinux Port Labels, where we changed the httpd
listen port from 80
to 82
:
Search for AVC
messages related to httpd
:
sudo grep AVC /var/log/audit/audit.log | grep httpd
I have spread the output over multiple lines for readability but it is not really giving much info to go on other than the command httpd
was denied with src=82
meaning port 82
.
type=AVC
msg=audit(1693293199.535:880): avc: denied { name_bind } for
pid=6515
comm="httpd"
src=82
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:reserved_port_t:s0
tclass=tcp_socket
permissive=0
In that lesson we fixed the policy violation by running:
sudo semanage port --add --type http_port_t --proto tcp 82
But how was I confident this would work? This is where a tool called sealert
becomes very useful. This command will give you more human friendly messages related to policy violations, and can provide different potential solutions to fix them ranked in confidence order.
The sealert
command is provided as part of the setroubleshoot-server
package so make sure you have this installed. You may need to replicate your error again for the new tools to pick them up:
To view the policy violations along with sealert
recommendations, you need to search the systemd-journal
:
Search journal for policy violations and apply recommended fix:
journalctl | grep sealert | grep httpd
This command will provide output similar to:
Aug 29 08:13:29 rhcsa-install.home.arpa setroubleshoot[6517]: \
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 82. \
For complete SELinux messages run: \
sealert -l 111f6b83-d086-4ede-bdb4-b99e3e4ba889
This message more directly tells you the problem is related to port 82
. It also tells you the command to run to get a more complete message:
sealert -l 111f6b83-d086-4ede-bdb4-b99e3e4ba889
I have stripped the output to only include the first suggestion on a fix for the violation. In this instance we can see with 99.5% confidence that we should run command semanage port -a -t PORT_TYPE -p tcp 82
. It has however, given us a few options to choose from for the PORT_TYPE
, which, in this instance, we want to use http_port_t
as we made changes to the httpd
service.
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 82.
***** Plugin bind_ports (99.5 confidence) suggests ************************
If you want to allow /usr/sbin/httpd to bind to network port 82
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 82
where PORT_TYPE is one of the following: \
http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.
To apply the fix you would run the semanage
command below:
sudo semanage port -a -t http_port_t -p tcp 82
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.