Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

RHCSA - Manage Security: Diagnose & Address Routine SELinux Policy Violations

Diagnose & Address Policy Violations

To diagnose a policy violation you need to search for AVC messages within /var/log/audit/audit.log. If you have been following along with the course we can search for a violation linked to lesson Manage SELinux Port Labels, where we changed the httpd listen port from 80 to 82:

Search for AVC messages related to httpd:

sudo grep AVC /var/log/audit/audit.log | grep httpd

I have spread the output over multiple lines for readability but it is not really giving much info to go on other than the command httpd was denied with src=82 meaning port 82.

type=AVC
msg=audit(1693293199.535:880): avc:  denied  { name_bind } for  
pid=6515 
comm="httpd" 
src=82 
scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:reserved_port_t:s0 
tclass=tcp_socket 
permissive=0

In that lesson we fixed the policy violation by running:

sudo semanage port --add --type http_port_t --proto tcp 82

But how was I confident this would work? This is where a tool called sealert becomes very useful. This command will give you more human friendly messages related to policy violations, and can provide different potential solutions to fix them ranked in confidence order.

The sealert command is provided as part of the setroubleshoot-server package so make sure you have this installed. You may need to replicate your error again for the new tools to pick them up:

To view the policy violations along with sealert recommendations, you need to search the systemd-journal:

Search journal for policy violations and apply recommended fix:

journalctl | grep sealert | grep httpd

This command will provide output similar to:

Aug 29 08:13:29 rhcsa-install.home.arpa setroubleshoot[6517]: \
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 82. \
For complete SELinux messages run: \
  sealert -l 111f6b83-d086-4ede-bdb4-b99e3e4ba889

This message more directly tells you the problem is related to port 82. It also tells you the command to run to get a more complete message:

sealert -l 111f6b83-d086-4ede-bdb4-b99e3e4ba889

I have stripped the output to only include the first suggestion on a fix for the violation. In this instance we can see with 99.5% confidence that we should run command semanage port -a -t PORT_TYPE -p tcp 82. It has however, given us a few options to choose from for the PORT_TYPE, which, in this instance, we want to use http_port_t as we made changes to the httpd service.

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 82.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow /usr/sbin/httpd to bind to network port 82
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 82
    where PORT_TYPE is one of the following: \
      http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

To apply the fix you would run the semanage command below:

sudo semanage port -a -t http_port_t -p tcp 82

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.