big selinux troubleshooting chart - paul moore · selinux documentation maybe lacks some practical...
TRANSCRIPT
![Page 1: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/1.jpg)
Big SELinux troubleshooting chart
Milos Malik
mmalik (at) redhat (dot) com
Red Hat Czech
BaseOS QE Securityhttp://bit.ly/bSELtchart
![Page 2: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/2.jpg)
Why?
● High number of reported bugs against selinux-policy
● Some of them are easy to solve● SELinux troubleshooting is not as difficult as
you think● SELinux documentation maybe lacks some
practical steps● Scope = targeted policy● Audience = sysadmin, devel, qe, gss
![Page 3: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/3.jpg)
Benefits
● ability to solve easy issues on your own● improved troubleshooting skills● the chart guides you through the
troubleshooting process● time-tested workflow
![Page 4: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/4.jpg)
Workshop structure
● parts of the chart● whole chart● your questions● let's apply the chart on some bugs● feedback
![Page 5: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/5.jpg)
High-level overview
● Identification → Analysis → Conservative solution → Radical solution → Workaround needed → Problem solved
![Page 6: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/6.jpg)
Problem identification
● ausearch
● audit daemon● dmesg
● /var/log/messages or journal● sealert
● setroubleshoot applet
![Page 7: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/7.jpg)
Analysis
● Is context of the process wrong? (source)● Is context of the object wrong? (target)● Is a type definition missing?● Is a rule missing?● Is there another discrepancy?● Why it happened?● Do we see the root cause or a consequence?
![Page 8: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/8.jpg)
Conservative solutions● Follow the best practises● Enabling / disabling of booleans● Change of network port definitions● Change of file context definitions● Making a domain permissive
![Page 9: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/9.jpg)
Radical solutions● Adding rules for existing policy types● Defining new types● Adding rules for new types● Additional policy modules
![Page 10: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/10.jpg)
Workaround needed
● Constraints and overrides● Where? Kernel, application or selinux-policy● Developer expertise / magic is needed● How to find a workaround?
![Page 11: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/11.jpg)
How to walk through the chart?
● Starting point● Minimum is 2 iterations (scenario executed in
enforcing and in permissive mode)● Step by step approach (which does not switch
whole system to permissive mode) may need more iterations
● Get to the end point
![Page 12: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/12.jpg)
Questions?
![Page 13: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/13.jpg)
Does it work?
● Let's apply the chart on a prepared list of bugs:– BZ#1261309
– BZ#1115601
– BZ#1101028
– BZ#1296238
● Does the audience propose some bugs?
![Page 14: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/14.jpg)
Opportunities
● Creative web presentation designer / implementor wanted
● Feedback is appreciated● The chart will evolve based on new kinds of
bugs or available tools
![Page 15: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/15.jpg)
Detailed slides follow
● Homework study for the audience● Each node of the chart is identified by a unique
number and described
![Page 16: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/16.jpg)
1. is SELinux enabled?
● sestatus
● getenforce
● Enforcing or permissive mode means that SELinux is enabled
![Page 17: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/17.jpg)
2. this chart does not help you
● The issue you encountered is not caused by SELinux
● You can enable SELinux either in /etc/selinux/config file or on kernel command line
![Page 18: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/18.jpg)
3. run your scenario
● You may repeat this step several times, because some issues are difficult to investigate
![Page 19: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/19.jpg)
4. does it work as expected?
● All expected functions of the scenario are present
![Page 20: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/20.jpg)
5. what does ausearch say?
● ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
● -ts start-time● -te end-time
![Page 21: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/21.jpg)
6. is audit daemon running?
● service auditd status
![Page 22: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/22.jpg)
7. start the audit daemon
● service auditd start
● to know the complete information about an SELinux denial we need to see it in the form of an audit message
● if you add “-w /etc/shadow -p w” to /etc/audit/rules.d/audit.rules file and restart the daemon then audit messages will contain full paths
![Page 23: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/23.jpg)
8. do you see SELinux denials in /var/log/messages or in
journal?
● if audit daemon is not running, but syslog daemon or systemd is running, then SELinux denials are not written into /var/log/audit/audit.log
![Page 24: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/24.jpg)
9. do you see SELinux denials in dmesg output?
● If none of following daemons is running then you can find SELinux denials in the output of dmesg:– audit daemon
– syslog daemon
– systemd
![Page 25: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/25.jpg)
10. remove dontaudit rules
● semodule -DB
● dontaudit rule means that a particular access is denied but there is no record of the SELinux denial
![Page 26: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/26.jpg)
11. is audit2allow available?
● very useful tool which is able to:– provide hints for solution
– summarize existing SELinux denials
– generate a local policy module
![Page 27: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/27.jpg)
12. install policycoreutils-python package
● yum -y install policycoreutils-python
![Page 28: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/28.jpg)
13. is selinux-policy documentation available?
● rpm -q selinux-policy-doc
● rpm -q selinux-policy-devel
![Page 29: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/29.jpg)
14. install selinux-policy documentation
● yum -y install selinux-policy-devel
● yum -y install selinux-policy-doc
![Page 30: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/30.jpg)
15. does audit2allow mention a boolean?
● Is there any SELinux boolean in the output of audit2allow?
![Page 31: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/31.jpg)
16. check the boolean documentation
● semanage boolean -l
● man -K boolean-name
● HTML pages in /usr/share/doc/selinux-policy-*
![Page 32: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/32.jpg)
17. does the documentation describe (part of) your scenario?
● yes - you found the right boolean● no - try another boolean● sometimes is necessary to use more booleans
at the same time
![Page 33: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/33.jpg)
18. customize the boolean
● semanage boolean -m –-on ...
● semanage boolean -m –-off ...
![Page 34: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/34.jpg)
19. does audit2allow mention a network port?
● usually has a suffix _port_t
![Page 35: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/35.jpg)
20. customize port definitions
● semanage port -a -t … -p … portnumber● semanage port -d -t … -p … portnumber● semanage port -l
● which port types exist?– seinfo -t | grep _port_t | sort
![Page 36: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/36.jpg)
21. does audit2why mention a constraint violation?
● useful tool which belongs to the same package as audit2allow
![Page 37: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/37.jpg)
22. report the problemto CP or RHBZ
● CP → access.redhat.com● RHBZ → bugzilla.redhat.com
![Page 38: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/38.jpg)
23. return dontaudit rules if you removed them before
● semodule -B
● one of clean-up tasks
![Page 39: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/39.jpg)
24. return to enforcing modeif you left it before
● setenforce 1
● run for each domain you switched to permissive:– semanage permissive -d ..._t
● another clean-up task
![Page 40: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/40.jpg)
25. does audit2allow mention filesystem objects?
● character device → tclass=chr_file● block device → tclass=blk_file● regular file → tclass=file● directory → tclass=dir● symbolic link → tclass=lnk_file● socket → tclass=sock_file● pipe → tclass=fifo_file
![Page 41: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/41.jpg)
26. are these objects mislabeled?
● each AVC contains a tcontext=... part● matchpathcon -n /path/to/object● objects are mislabeled when these 2
values differ● if matchpathcon returns <<none>> then
use sesearch -T to find out which context did the object have when it was created
![Page 42: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/42.jpg)
27. is reboot acceptable?
● the need for reboot is rare but– if there is a lot of mislabeled objects on the
filesystem, it maybe better to relabel them all during reboot
– if the system does not boot because of SELinux denials then a complete relabel is the only solution
![Page 43: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/43.jpg)
28. run restorecon
● following command corrects labels:– restorecon -Rv /path/to/somewhere
● following command just shows which labels are wrong:– restorecon -Rvn /path/to/somewhere
![Page 44: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/44.jpg)
29. find a better context and customize file context patterns
● use sesearch -A and specify 3 of 4 parameters (-s, -t, -c, -p)
● use semanage fcontext -a -t … -f … pattern
![Page 45: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/45.jpg)
30. does audit2allow mention missing rules?
● no additional hints, just lines which start with allow ...
![Page 46: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/46.jpg)
31. is local policy module acceptable?
● local policy module needs to be maintained
![Page 47: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/47.jpg)
32. create local policy module
● the local policy module will contain macros: ausearch … | audit2allow -R -M mypolicy
● the local policy module will not contain macros: ausearch … | audit2allow -M mypolicy
![Page 48: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/48.jpg)
33. insert the local policy module
● semodule -i mypolicy.pp
● filename and policy module name are 2 different things
● list of currently loaded policy modules: semodule -l
![Page 49: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/49.jpg)
34. make the domain permissive● semanage permissive -a ..._t
● you can switch a chosen type to permissive and leave the rest of types in enforcing mode
● the use of setenforce 0 is advised only in desperate cases and temporarily
![Page 50: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/50.jpg)
35. are there additional SELinux denials?
● use ausearch again and check the time when the SELinux denials appeared
● new SELinux denials may appear even if your scenario works fine → some accesses are really redundant
![Page 51: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/51.jpg)
36. collect additional SELinux denials
● ausearch … > attachment-xyz.txt
● for further inspection by the selinux-policy developers
![Page 52: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/52.jpg)
37. run fixfiles onboot
● the command makes sure that whole filesystem will be relabel during next reboot
![Page 53: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/53.jpg)
38. reboot
● relabeling of filesystems may take several minutes depending on the number of stored objects
● enforcing=0 kernel parameter makes sure that SELinux starts in permissive mode, the mode configured in /etc/selinux/config is ignored
![Page 54: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/54.jpg)
39. collect all constraint violations
● ausearch … | audit2why > attachment-xyz.txt
● for further inspection by the selinux-policy developers
![Page 55: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/55.jpg)
Security vs. usability● SELinux policy should not prevent programs
from doing what is expected from them● programs should only access objects which are
necessary to fulfil their purpose● sometimes the expected and actual behavior
differ significantly● extremes: SELinux policy is either too strict or
too benevolent
![Page 56: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/56.jpg)
Enforcing vs. permissive● the same scenario may involve different code
paths in enforcing and in permissive mode● that's why the sets of SELinux denials triggered
in these modes are usually different● not all SELinux denials triggered in permissive
mode must be fixed in policy● to collect all SELinux denials in enforcing mode
you usually need more than 1 iteration
![Page 57: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/57.jpg)
Searching for the root cause● some of “solved” problems appear again● without knowing the root cause we are solving
consequences● complex interactions among various programs
make the activity more difficult● find a reproducer via
– inspection of relevant log files
– increased logging / enabled debugging messages– auditctl / ausearch
– policy module with special auditallow rules– strace / ltrace / gdb
![Page 58: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/58.jpg)
Local policy is not almighty
● New network port types cannot be defined● New classes and permissions cannot be
defined either● You can disable / remove a policy module as
whole (everything it defines), but you cannot disable / remove a specifically chosen rule
● You cannot make the constraints less strict
![Page 59: Big SELinux troubleshooting chart - Paul Moore · SELinux documentation maybe lacks some practical steps ... the chart guides you through the troubleshooting process time-tested workflow](https://reader033.vdocuments.mx/reader033/viewer/2022060603/6057a9e87bf11b4f9c40fe2d/html5/thumbnails/59.jpg)
Be careful when● enabling too powerful booleans
– *_all_rw
– *_full_access
– nis_enabled
– daemons_enable_cluster_mode
● using general contexts instead of specific ones● your local policy module is too benevolent● your file-systems are mislabeled● allowing permissions like dac_override, dac_read_search, sys_admin, setuid