Troubleshooting SELinux

Hands-On Lab

 

Photo of Stosh Oldham

Stosh Oldham

Course Development Director in Content

Length

00:30:00

Difficulty

Advanced

Mandatory access control (MAC) is an essential element to modern system security. SELinux is a common implementation of MAC that must be well understood by engineers in order to incorporate the most ideal security practices into production systems. This exercise delves into a common occurrence relating to MAC; troubleshooting a system that is experiencing errors as a consequence of SELinux.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting SELinux

Introduction

Mandatory access control (MAC) is an essential element to modern system security. SELinux is a common implementation of MAC that must be well understood by engineers in order to incorporate the most ideal security practices into production systems. This exercise delves into a common occurrence relating to MAC; troubleshooting a system that is experiencing errors as a consequence of SELinux.

The website is down! The primary company web page is not presenting correctly, and the sales team is looking to you to fix it. A new junior security engineer was asking about SELinux and the web server earlier in the day. Checking out the www server's SELinux configuration may be a good place to start looking. Verify the error by attempting to access localhost:80/index.html on the www server and correct any issues.

Summary tasks list:

  • Verify there is an error by trying to access localhost:80/index.html using curl on the www host and check the audit log using sealert. Direct the output from sealert to /home/cloud_user/seinfo.txt.
  • Examine /home/cloud_user/seinfo.txt to figure out what is wrong and fix the error regarding /var/www/html/index.html.
  • Restart httpd to check for other possible issues and correct any issues you might find.
  • Confirm localhost:80/index.html loads correctly with curl on the www host.

Solution

Start by logging in to the lab server using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Verify there is an error

  1. Verify there is an error by trying to access localhost:80/index.html using curl on the www host:

    curl localhost:80/index.html
  2. Check the audit log using sealert and direct the output from sealert to /home/cloud_user/seinfo.txt:

    sudo sealert -a /var/log/audit/audit.log > /home/cloud_user/seinfo.txt

Figure out what is wrong and fix the error

  1. Reviewing the seinfo.txt file should indicate the context for /var/www/html/index.html is incorrect.

    sudo less /home/cloud_user/seinfo.txt

    At the bottom of the file, we should see the SELinux alert, as well as a suggested way to fix the issue.

  2. Fix the issue:

    sudo /sbin/restorcon -v /var/www/html/index.html
  3. Verify that the issue is resolved:

    curl localhost:80/index.html

Check for other possible issues and correct any issues you might find

Restart httpd to check for other possible issues and correct any issues you might find.

  1. Restart Apache:

    sudo systemctl restart httpd

    > Note: httpd should fail to restart.

  2. Based on journalctl --xe (or by re-examining the audit log with sealert), you will see the file context is incorrect on /etc/httpd/conf/httpd.conf.

    journalctl --xe

    > We are looking for the httpd: Could not open configuration file... line.

  3. Verify the SELinux context on /etc/httpd/conf/httpd.conf:

    ls -lZ /etc/httpd/conf/httpd.conf

    > The user_home_dir_t context is set on this file, which is not correct.

  4. Run restorcon to fix the context on httpd.conf:

    sudo /sbin/restorcon /etc/httpd/conf/httpd.conf
  5. Verify the SELinux context was updated:

    ls -lZ /etc/httpd/conf/httpd.conf

    > The context has been correctly set to httpd_config_t.

  6. Restart Apache again and the service should be restored.

    sudo systemctl start httpd

Confirm the error is resolved

  1. Confirm localhost:80/index.html loads correctly with curl on the www host.

    curl localhost:80/index.html

Conclusion

Congratulations, you've completed this hands-on lab!