SELinux has been introduced into Linux kernel version 2.6 from 2003. However, for many years, the common thing to do on most installations is to disable the SELinux. The common reason cited was that it was too complex to set up the rules, or troubleshoot why it fail.
To troubleshoot whether it is blocked by SELinux rules, we need to disable the enforcing SELinux and set it to permissive to allow logging of denied calls.
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/configI have also found a good page to explain on how to read the debugging details. Even after allowing the permissive logging, there can be hidden logs, which needs to be enabled via:
semodule -DBAfter the logging is enabled, you should start to see the denied logs in /var/log/audit/audit.log. The next issue will be how to rectify these errors, so that it does not impact the operation of the application installed. Here comes the rescue of the tool, audit2allow.
Audit2allow is able to take the denied logs and convert it to policies, ready to be loaded, example of use is, where the name of the module is new_module:
grep denied /var/log/audit/audit.log | audit2allow -M new_moduleAfter this command is executed, there will be 2 files generated, new_module.te and new_module.pp. You can review the new_module.te file which will describe the policy changes to the SELinux. One good thing also is that in the .te file, some of the avc denied can be enabled by enabling some of the other default modules. If all the denied can be resolved by enabling other default modules, then you will not need to import this module.
If there are no available option can be enabled, then you will need to install the custom policy package by:
semodule -i new_moduleThe SELinux can be enabled into enforcing mode again by:
setenforce 1 && sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config