Why SELinux Is Blocking Your Service (and How to Fix It)

-

Troubleshooting SELinux-Related Issues in Linux

Running services with SELinux enabled can sometimes lead to unexpected denials or blocked actions—especially if SELinux was previously disabled or the service is configured in a non-standard way.

In most cases, SELinux issues are the result of misconfigured contexts, policies, or port bindings. Here's a step-by-step approach to diagnose and fix SELinux-related problems while keeping your system secure.

Check SELinux Status and Mode

Start by verifying that SELinux is active on your system:

# sestatus

Look for:

  • SELinux status: enabled
  • Current mode: enforcing or permissive

To test if SELinux is causing a problem, temporarily switch to permissive mode:

# setenforce 0   # Logs denials but doesn’t block actions
# setenforce 1   # Reverts to enforcing mode

If the issue disappears in permissive mode, SELinux is likely the root cause.

Look for SELinux Denials in Logs

Use the audit logs to find detailed denial messages:

# grep "avc: denied" /var/log/audit/audit.log

To generate a human-readable report from the logs:

# sealert -a /var/log/audit/audit.log

Review the AVC denial messages related to your service or application.

Note:

On RHEL 8 (and newer systems), the sealert tool is not installed by default. Install setroubleshoot-server to get sealert 
yum install setroubleshoot-server -y

Fix File and Directory Contexts

Incorrect file contexts are a common issue. Check them with:

# ls -Z /path/to/your/file_or_directory

To restore default contexts:

# restorecon -Rv /path/to/your/directory

To permanently set custom contexts (example: for a custom web directory):

# semanage fcontext -a -t httpd_sys_content_t "/custom_web(/.*)?"
# restorecon -Rv /custom_web

Adjust SELinux Policies

Allow Non-Default Ports

# semanage port -l | grep http
# semanage port -a -t http_port_t -p tcp 8080

Enable Required Booleans

# getsebool -a | grep httpd_can_network_connect
# setsebool -P httpd_can_network_connect on

Create Custom SELinux Policy Modules (Advanced)

If there's no existing fix, you can generate custom policy modules based on denial logs:

# grep "avc: denied" /var/log/audit/audit.log | audit2allow -M mypolicy
# semodule -i mypolicy.pp

To understand the cause of denials:

# audit2why < /var/log/audit/audit.log

Make Changes Persistent

To ensure changes survive a reboot:

  • Use -P with setsebool to make boolean changes permanent.
  • Use semanage for ports and file context changes.
  • Edit /etc/selinux/config to set SELINUX=enforcing or permissive.

Common Scenarios & Fixes

Apache/Nginx Access Denied

# semanage fcontext -a -t httpd_sys_content_t "/custom_web_dir(/.*)?"
# restorecon -Rv /custom_web_dir
# setsebool -P httpd_can_network_connect on

MySQL/PostgreSQL Access Issues

# restorecon -Rv /var/lib/mysql
# semanage port -a -t mysqld_port_t -p tcp 3307

Samba/NFS Share Denials

# setsebool -P samba_export_all_rw on
# chcon -t samba_share_t /shared_directory

SSH Binding to Non-Default Port

# semanage port -a -t ssh_port_t -p tcp 2222
# restorecon -Rv /etc/ssh

Final Tips

  • Avoid disabling SELinux: Use policies and adjustments to preserve security.
  • Use permissive mode for testing: But always revert to enforcing when done.
  • Run restorecon after updates: Especially if new files were added.
  • Document your changes: Helps you (and others) debug future issues faster.

By following these steps and understanding SELinux’s role, you can troubleshoot most access issues without compromising system security.

Comments

Post a Comment

Popular Posts

Puppet Code Deploy Troubleshooting & Resolution Guide

-
Initial Problem I was setting up Puppet Enterprise and trying to push code using the trusted puppet code deploy command. But instead of a clean deployment, I got this surprise: puppet code deploy --dry-run And boom — this lovely error shows up: [POST /deploys][500] Errors while collecting a list of environments to deploy (exit code: 1). ERROR -> failed to stat '/var/opt/lib/pe-puppet/.gitconfig' So... what gives? Turns out this issue is part permissions, part SSH trust, and part “who ran this command and as which user.” But don’t worry — I’ll walk through all root causes and their real-world fixes step by step. Root Cause #1: Directory Permission What Happened: The directory /var/opt/lib was locked down with drwx------ (700) and owned by root . User pe-puppet couldn’t even step inside it. Since r10k runs as pe-puppet , it failed trying to read .gitconfig . The Fix: chmod 711 /var/opt/lib Why: This lets pe-puppet enter the folder ...
Read more

Fix: SSH Permission Denied Issue | Real Solution

-
1. Verify SSH Command and Key Usage Use the correct private key with -i : ssh -i ~/.ssh/your_private_key user@host Ensure the key is not passphrase-protected (or enter the passphrase correctly). 2. Check Key Generation and Deployment Regenerate Keys (if unsure): ssh-keygen -t ed25519 -C "your_email@example.com" # Prefer ed25519 Ed25519 uses elliptic curve cryptography (Edwards-curve Digital Signature Algorithm) and provides 128-bit security (equivalent to RSA-3072 or RSA-4096) with a 256-bit key. Copy the Public Key to the Server: ssh-copy-id -i ~/.ssh/your_public_key user@host If ssh-copy-id isn’t available, manually append the public key to ~/.ssh/authorized_keys on the server. 3. Fix File/Directory Permissions On the Server: chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chmod go-w ~ # Home directory should not be world-writable On the Client (Local Machine): chmod 600 ~/.ssh/your_private_key 4. Check SSH Server Configuration Edit /etc/ssh/s...
Read more

Linux Process Termination Signals Explained with Examples

-
Linux uses signals to communicate with processes, allowing them to terminate, pause, or handle specific events. Below are key termination signals, examples of how to use them, and their effects. 1. SIGINT (2) : Interrupt Signal Default Action : Terminate the process. Trigger : Press Ctrl+C in the terminal. Use Case : Gracefully stop a running command (e.g., a script or program). Example: # Start a long-running process sleep 100 # Press Ctrl+C to send SIGINT and terminate it Handling SIGINT in a Bash Script: #!/bin/bash trap 'echo "SIGINT caught! Exiting..."; exit' SIGINT echo "Running... Press Ctrl+C to test SIGINT" while true; do sleep 1 done Output: Running... Press Ctrl+C to test SIGINT ^CSIGINT caught! Exiting... 2. SIGQUIT (3) : Quit Signal Default Action : Terminate and generate a core dump. Trigger : Press Ctrl+\ in the terminal. Use Case : Debugging (generates a core dump for post-mortem analysis). ...
Read more