Product SiteDocumentation Site

Capítulo 7. Solución a Problemas

7.1. Qué pasa cuando el Acceso es Denegado
7.2. Tres Principales Causas de Problemas
7.2.1. Problemas de Etiquetados
7.2.2. ¿Cómo se Ejecutan los Servicios Confinados?
7.2.3. Evolucionando las Reglas y las Aplicaciones Rotas
7.3. Corrección de Problemas
7.3.1. Permisos de Linux
7.3.2. Posibles Causas de las Negaciones Silenciosas
7.3.3. Páginas de Manual para Servicios
7.3.4. Dominios Permisivos
7.3.5. Búsqueda y Revisión de Negaciones
7.3.6. Raw Audit Messages
7.3.7. Mensajes sealert
7.3.8. Permitiendo el Acceso: audit2allow
El siguiente capítulo describe qué pasa cuando SELinux niega el acceso; las principales tres causas de problemas; dónde encontrar información acerca del correcto etiquetado; análisis de las negaciones de SELinux; y creación de módulos de políticas personalizados con audit2allow.

7.1. Qué pasa cuando el Acceso es Denegado

SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as "AVC denials", and are logged to a different location, depending on which daemons are running:
DaemonLog Location
auditd on/var/log/audit/audit.log
auditd off; rsyslogd on/var/log/messages
setroubleshootd, rsyslogd, and auditd on/var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages
If you are running the X Window System, have the setroubleshoot and setroubleshoot-server packages installed, and the setroubleshootd and auditd daemons are running, a warning is displayed when access is denied by SELinux:
Clicking on 'Show' presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:
Forbidden

You don't have permission to access file name on this server

For these situations, if DAC rules (standard Linux permissions) allow access, check /var/log/messages and /var/log/audit/audit.log for "SELinux is preventing" and "denied" errors respectively. This can be done by running the following commands as the Linux root user:
grep "SELinux is preventing" /var/log/messages
grep "denied" /var/log/audit/audit.log