---
service: selinux
symptoms: permission denied despite correct unix permissions, service blocked by selinux, avc denied, file context mismatch, port binding denied, boolean missing, domain transition failure
tags: selinux, avc, enforcing, security, policy, restorecon, audit, sealert, semanage
---

## Symptoms

- Service gets `Permission denied` even though file ownership and mode look correct
- Process cannot bind to a port or open a file after a config change
- AVC denials appear in audit logs
- App works when SELinux is permissive but fails in enforcing mode
- Newly created files under custom paths are inaccessible to a confined service

## Diagnostics

### Confirm SELinux mode and policy

```
getenforce
sestatus
cat /etc/selinux/config
```

If SELinux is `Permissive`, denials are logged but not enforced.

### Check AVC denials

```
auditctl -s
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
journalctl -t setroubleshoot -n 50
dmesg | grep -i -e type=1300 -e type=1400
```

AVC denials are the primary source of truth for SELinux policy failures.

If AVCs are missing but SELinux still appears involved, temporarily disable `dontaudit` rules to expose hidden denials:
```
semodule -DB
```
Re-enable them after reproducing the issue:
```
semodule -B
```

### Inspect file contexts

```
ls -lZ /path/to/file
ps -eZ | grep <service>
matchpathcon -V /path/to/file
```

A service can have correct Unix permissions and still fail if the SELinux context is wrong.

### Check port labeling and booleans

```
semanage port -l | grep <port>
getsebool -a | grep <service-or-feature>
semanage boolean -l | grep <service-or-feature>
```

Custom ports often require explicit SELinux port labels.

### Check for relabeling needs

```
restorecon -nRv /path
matchpathcon /path/to/file
sealert -l "*"
```

`restorecon -n` shows what would change without modifying labels.

`sealert` is often the fastest way to turn a raw AVC into a concrete fix, but treat `audit2allow` suggestions as a last resort, not a first response.

## Remediation

**Wrong file context:**
Restore the default context:
```
restorecon -Rv /path
```

**Custom application path needs persistent labeling:**
```
semanage fcontext -a -t <type> '/custom/path(/.*)?'
restorecon -Rv /custom/path
```

**Custom port binding denied:**
Add the port label required by the service type:
```
semanage port -a -t <port_type> -p tcp <port>
```

**Boolean disabled:**
Enable the needed boolean persistently:
```
setsebool -P <boolean_name> on
```

**Still unsure whether SELinux is the blocker:**
Temporarily switch to permissive mode and reproduce the issue:
```
setenforce 0
```
If the problem still occurs, SELinux is not the root cause.

Do not disable SELinux or generate custom policy modules as a first response. Fix labels, booleans, or port mappings first.