feat: complete RAG runbook workflow and release docs
Some checks failed
CI / test (push) Failing after 15s
Some checks failed
CI / test (push) Failing after 15s
This commit is contained in:
112
runbooks/selinux.md
Normal file
112
runbooks/selinux.md
Normal file
@@ -0,0 +1,112 @@
|
||||
---
|
||||
service: selinux
|
||||
symptoms: permission denied despite correct unix permissions, service blocked by selinux, avc denied, file context mismatch, port binding denied, boolean missing, domain transition failure
|
||||
tags: selinux, avc, enforcing, security, policy, restorecon, audit, sealert, semanage
|
||||
---
|
||||
|
||||
## Symptoms
|
||||
|
||||
- Service gets `Permission denied` even though file ownership and mode look correct
|
||||
- Process cannot bind to a port or open a file after a config change
|
||||
- AVC denials appear in audit logs
|
||||
- App works when SELinux is permissive but fails in enforcing mode
|
||||
- Newly created files under custom paths are inaccessible to a confined service
|
||||
|
||||
## Diagnostics
|
||||
|
||||
### Confirm SELinux mode and policy
|
||||
|
||||
```
|
||||
getenforce
|
||||
sestatus
|
||||
cat /etc/selinux/config
|
||||
```
|
||||
|
||||
If SELinux is `Permissive`, denials are logged but not enforced.
|
||||
|
||||
### Check AVC denials
|
||||
|
||||
```
|
||||
auditctl -s
|
||||
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
|
||||
journalctl -t setroubleshoot -n 50
|
||||
dmesg | grep -i -e type=1300 -e type=1400
|
||||
```
|
||||
|
||||
AVC denials are the primary source of truth for SELinux policy failures.
|
||||
|
||||
If AVCs are missing but SELinux still appears involved, temporarily disable `dontaudit` rules to expose hidden denials:
|
||||
```
|
||||
semodule -DB
|
||||
```
|
||||
Re-enable them after reproducing the issue:
|
||||
```
|
||||
semodule -B
|
||||
```
|
||||
|
||||
### Inspect file contexts
|
||||
|
||||
```
|
||||
ls -lZ /path/to/file
|
||||
ps -eZ | grep <service>
|
||||
matchpathcon -V /path/to/file
|
||||
```
|
||||
|
||||
A service can have correct Unix permissions and still fail if the SELinux context is wrong.
|
||||
|
||||
### Check port labeling and booleans
|
||||
|
||||
```
|
||||
semanage port -l | grep <port>
|
||||
getsebool -a | grep <service-or-feature>
|
||||
semanage boolean -l | grep <service-or-feature>
|
||||
```
|
||||
|
||||
Custom ports often require explicit SELinux port labels.
|
||||
|
||||
### Check for relabeling needs
|
||||
|
||||
```
|
||||
restorecon -nRv /path
|
||||
matchpathcon /path/to/file
|
||||
sealert -l "*"
|
||||
```
|
||||
|
||||
`restorecon -n` shows what would change without modifying labels.
|
||||
|
||||
`sealert` is often the fastest way to turn a raw AVC into a concrete fix, but treat `audit2allow` suggestions as a last resort, not a first response.
|
||||
|
||||
## Remediation
|
||||
|
||||
**Wrong file context:**
|
||||
Restore the default context:
|
||||
```
|
||||
restorecon -Rv /path
|
||||
```
|
||||
|
||||
**Custom application path needs persistent labeling:**
|
||||
```
|
||||
semanage fcontext -a -t <type> '/custom/path(/.*)?'
|
||||
restorecon -Rv /custom/path
|
||||
```
|
||||
|
||||
**Custom port binding denied:**
|
||||
Add the port label required by the service type:
|
||||
```
|
||||
semanage port -a -t <port_type> -p tcp <port>
|
||||
```
|
||||
|
||||
**Boolean disabled:**
|
||||
Enable the needed boolean persistently:
|
||||
```
|
||||
setsebool -P <boolean_name> on
|
||||
```
|
||||
|
||||
**Still unsure whether SELinux is the blocker:**
|
||||
Temporarily switch to permissive mode and reproduce the issue:
|
||||
```
|
||||
setenforce 0
|
||||
```
|
||||
If the problem still occurs, SELinux is not the root cause.
|
||||
|
||||
Do not disable SELinux or generate custom policy modules as a first response. Fix labels, booleans, or port mappings first.
|
||||
Reference in New Issue
Block a user