Product SiteDocumentation Site

Chapter 10. Troubleshooting

10.1. What Happens when Access is Denied
10.2. Top Three Causes of Problems
10.2.1. Labeling Problems
10.2.2. How are Confined Services Running?
10.2.3. Evolving Rules and Broken Applications
10.3. Fixing Problems
10.3.1. Linux Permissions
10.3.2. Possible Causes of Silent Denials
10.3.3. Manual Pages for Services
10.3.4. Permissive Domains
10.3.5. Searching For and Viewing Denials
10.3.6. Raw Audit Messages
10.3.7. sealert Messages
10.3.8. Allowing Access: audit2allow
The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with audit2allow.

10.1. What Happens when Access is Denied

SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials", and are logged to a different location, depending on which daemons are running:
DaemonLog Location
auditd on/var/log/audit/audit.log
auditd off; rsyslogd on/var/log/messages
setroubleshootd, rsyslogd, and auditd on/var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd and auditd daemons are running, a warning is displayed when access is denied by SELinux:
Clicking on Show presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:

You don't have permission to access file name on this server
For these situations, if DAC rules (standard Linux permissions) allow access, check /var/log/messages and /var/log/audit/audit.log for "SELinux is preventing" and "denied" errors respectively. This can be done by running the following commands as the root user:
~]# grep "SELinux is preventing" /var/log/messages
~]# grep "denied" /var/log/audit/audit.log