zphinx/tai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
57f4c0efaa0a4b58c42c59f9c53d23546a5cf8fa
tai/runbooks/selinux.md
zphinx 57f4c0efaa
Some checks failed
CI / test (push) Failing after 15s
Details
feat: complete RAG runbook workflow and release docs
2026-05-06 04:48:41 +02:00

113 lines
2.8 KiB
Markdown
Raw Blame History

---
service: selinux
symptoms: permission denied despite correct unix permissions, service blocked by selinux, avc denied, file context mismatch, port binding denied, boolean missing, domain transition failure
tags: selinux, avc, enforcing, security, policy, restorecon, audit, sealert, semanage
---
## Symptoms
- Service gets `Permission denied` even though file ownership and mode look correct
- Process cannot bind to a port or open a file after a config change
- AVC denials appear in audit logs
- App works when SELinux is permissive but fails in enforcing mode
- Newly created files under custom paths are inaccessible to a confined service
## Diagnostics
### Confirm SELinux mode and policy
```
getenforce
sestatus
cat /etc/selinux/config
```
If SELinux is `Permissive`, denials are logged but not enforced.
### Check AVC denials
```
auditctl -s
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
journalctl -t setroubleshoot -n 50
dmesg | grep -i -e type=1300 -e type=1400
```
AVC denials are the primary source of truth for SELinux policy failures.
If AVCs are missing but SELinux still appears involved, temporarily disable `dontaudit` rules to expose hidden denials:
```
semodule -DB
```
Re-enable them after reproducing the issue:
```
semodule -B
```
### Inspect file contexts
```
ls -lZ /path/to/file
ps -eZ | grep <service>
matchpathcon -V /path/to/file
```
A service can have correct Unix permissions and still fail if the SELinux context is wrong.
### Check port labeling and booleans
```
semanage port -l | grep <port>
getsebool -a | grep <service-or-feature>
semanage boolean -l | grep <service-or-feature>
```
Custom ports often require explicit SELinux port labels.
### Check for relabeling needs
```
restorecon -nRv /path
matchpathcon /path/to/file
sealert -l "*"
```
`restorecon -n` shows what would change without modifying labels.
`sealert` is often the fastest way to turn a raw AVC into a concrete fix, but treat `audit2allow` suggestions as a last resort, not a first response.
## Remediation
**Wrong file context:**
Restore the default context:
```
restorecon -Rv /path
```
**Custom application path needs persistent labeling:**
```
semanage fcontext -a -t <type> '/custom/path(/.*)?'
restorecon -Rv /custom/path
```
**Custom port binding denied:**
Add the port label required by the service type:
```
semanage port -a -t <port_type> -p tcp <port>
```
**Boolean disabled:**
Enable the needed boolean persistently:
```
setsebool -P <boolean_name> on
```
**Still unsure whether SELinux is the blocker:**
Temporarily switch to permissive mode and reproduce the issue:
```
setenforce 0
```
If the problem still occurs, SELinux is not the root cause.
Do not disable SELinux or generate custom policy modules as a first response. Fix labels, booleans, or port mappings first.
Reference in New Issue View Git Blame Copy Permalink