zphinx/tai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
3be14f8f6f797bd8ce34165abc94e49f7b2722d5
tai/runbooks/selinux.md
zphinx 57f4c0efaa
Some checks failed
CI / test (push) Failing after 15s
Details
feat: complete RAG runbook workflow and release docs
2026-05-06 04:48:41 +02:00

2.8 KiB
Raw Blame History

service, symptoms, tags
service symptoms tags
selinux permission denied despite correct unix permissions, service blocked by selinux, avc denied, file context mismatch, port binding denied, boolean missing, domain transition failure selinux, avc, enforcing, security, policy, restorecon, audit, sealert, semanage

Symptoms

  • Service gets Permission denied even though file ownership and mode look correct
  • Process cannot bind to a port or open a file after a config change
  • AVC denials appear in audit logs
  • App works when SELinux is permissive but fails in enforcing mode
  • Newly created files under custom paths are inaccessible to a confined service

Diagnostics

Confirm SELinux mode and policy

getenforce
sestatus
cat /etc/selinux/config

If SELinux is Permissive, denials are logged but not enforced.

Check AVC denials

auditctl -s
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
journalctl -t setroubleshoot -n 50
dmesg | grep -i -e type=1300 -e type=1400

AVC denials are the primary source of truth for SELinux policy failures.

If AVCs are missing but SELinux still appears involved, temporarily disable dontaudit rules to expose hidden denials:

semodule -DB

Re-enable them after reproducing the issue:

semodule -B

Inspect file contexts

ls -lZ /path/to/file
ps -eZ | grep <service>
matchpathcon -V /path/to/file

A service can have correct Unix permissions and still fail if the SELinux context is wrong.

Check port labeling and booleans

semanage port -l | grep <port>
getsebool -a | grep <service-or-feature>
semanage boolean -l | grep <service-or-feature>

Custom ports often require explicit SELinux port labels.

Check for relabeling needs

restorecon -nRv /path
matchpathcon /path/to/file
sealert -l "*"

restorecon -n shows what would change without modifying labels.

sealert is often the fastest way to turn a raw AVC into a concrete fix, but treat audit2allow suggestions as a last resort, not a first response.

Remediation

Wrong file context: Restore the default context:

restorecon -Rv /path

Custom application path needs persistent labeling:

semanage fcontext -a -t <type> '/custom/path(/.*)?'
restorecon -Rv /custom/path

Custom port binding denied: Add the port label required by the service type:

semanage port -a -t <port_type> -p tcp <port>

Boolean disabled: Enable the needed boolean persistently:

setsebool -P <boolean_name> on

Still unsure whether SELinux is the blocker: Temporarily switch to permissive mode and reproduce the issue:

setenforce 0

If the problem still occurs, SELinux is not the root cause.

Do not disable SELinux or generate custom policy modules as a first response. Fix labels, booleans, or port mappings first.