Troubleshooting SELinux issues

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:00:00

Difficulty

Advanced

In this exercise, you will troubleshoot SELinux issues preventing a service from starting, as well as functioning correctly.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting SELinux issues

Introduction

In this exercise, you will troubleshoot SELinux issues preventing a service from starting, as well as functioning correctly.

Successfully start Apache and have it serve content from the configured location by resolving SELinux issues.

Solution

Start by logging in to the lab server using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Become the root user:

sudo su -

Start Apache

  1. Attempt to start the service:

    systemctl start httpd
  2. View the status log:

    systemctl status httpd -l
  3. View the audit.log file for the error:

    tail /var/log/audit/audit.log
  4. View recent SELinux errors:

    ausearch -m avc -ts recent
  5. Find the inode it's attempting to write to:

    find / -inum <inode number>
  6. View the SELinux context of the directory/file:

    ls -Z /var/log/httpd
  7. Restore the proper file context:

    restorecon -Rv /var/log/httpd
  8. We should be able to start Apache now:

    systemctl start httpd   

Resolve SELinux issues preventing viewing web content

  1. Attempt to view the web content:

    curl localhost
  2. View recent AVC errors:

    ausearch -m avc -ts recent
  3. Find the inode of the file/directory:

    find / -inum <inode number>
  4. View the context of the file/directory:

    ls -Z /home/cloud_user/html/index.html
  5. Install sealert:

    yum -y install setroubleshoot setroubleshoot-server
  6. Restart the auditd service:

    service auditd restart
  7. Use sealert for more information:

    sealert -a /var/log/audit/audit.log
  8. Lookup the httpd_read_user_content boolean:

    getsebool httpd_read_user_content
  9. Set the boolean to permit reading user content:

    setsebool -P httpd_read_user_content=1
  10. View the web content:

    curl localhost

Conclusion

Congratulations, you've completed this hands-on lab!