Monday, 13 June 2011

Diagnose and address routine SELinux policy violations

You have three main tools for diagnosing SELinux policy violations:
  1. audit log (/var/log/audit/audit.log)
  2. ls -Z
  3. ps -AZ
I think that if you have realized that the issue lies with SELinux that is half the battle and the above can help you with that.

In order to address the policy violations that you might encounter, you will need the audit2why and audit2allow commands. You'll need to install policycoreutils-python
yum install policycoreutils-python
To illustrate how to use this, set SELinux to enforcing:
setenforce 1
Save your iptables configuration to a file:
iptables-save >myiptables.txt
This file is empty, so check the audit log and you'll see the following message:
type=AVC msg=audit(1307819809.595:16342): avc:  denied  { write } for  pid=22969 comm="iptables-save" path="/root/mytables.txt" dev=sda3 ino=144189 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Copy this line to a file, say iptables.audit and run:
audit2why < iptables.audit
You'll get this ouput:
 Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
This confirms that the issue is with SELinux, so now let's resolve it:
audit2allow -M iptables -i iptables.audit
This will create a module called iptables.pp, that can be installed with this command:
semodule -i iptables.pp
Now you can safely save your iptables configuration.

As mentioned in a previous post, you should actually set SELinux to permissive in dev/testing as you might have more than one SELinux policy violation and then you'll end up creating loads of modules unnecessarily.

No comments:

Post a Comment