How to troubleshoot SELinux problems

Users are normally encouraged to turn off SELinux when they need two applications to communicate with each other. If you think of SELinux as a firewall, you just need to enable the correct rules to allow the applications access to files or sockets etc..

Before you start troubleshooting you may need to install this package on centos or similar for other distributions:

sudo yum install selinux-policy-devel

If you can run a command from the command line manually but can't run the command from your PHP script/webserver etc then it is worth checking the SELinux log to see if that is your problem.

SELinux errors are logged to syslog by default in Centos they are logged to the following file locations:

  • /var/log/audit/audit.log
  • /var/log/messages

To create a clean slate, stop syslog:

/etc/init.d/syslog stop

Clear the audit and messages log (you may want to rotate the logs instead).

rm /var/log/audit/audit.log /var/log/messages

Start the syslog again:

/etc/init.d/syslog start

Now run your script and the SELinux errors should be logged, you can check this with:

tail -f /var/log/audit/audit.log /var/log/messages

Look for entries like:

type=SYSCALL msg=audit(1276164857.547:3018): arch=40000003 syscall=197 success=no exit=-13 a0=12 a1=bfbaca74 a2=76cff4 a3=8a79850 items=0 ppid=32016 pid=3404 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=319 comm="clamscan" exe="/usr/bin/clamscan" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)

To convert these errors into the required SELinux rules run the command:

sudo tail -f /var/log/audit/audit.log /var/log/messages | audit2allow

For example trying to get apache to run clamscan initially got these errors:

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t clamd_var_run_t:dir search;
allow httpd_sys_script_t httpd_t:file read;

Now run the audit2allow commands to create the required rules:

sudo tail -f /var/log/audit/audit.log /var/log/messages | audit2allow -M mysemanage

This will make two files in the current directory:

  • mysemanage.pp
  • mysemanage.te

To activate the new rules run:

sudo semodule -i mysemanage.pp

Now run your problem application again and repeat the above process for activating the missing rules.

Eventually selinux stop reporting errors I ended up with the following rules:

#============= clamd_t ==============
allow clamd_t httpd_tmp_t:file getattr;

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t clamd_t:unix_stream_socket connectto;
allow httpd_sys_script_t clamd_var_lib_t:dir { read getattr search };
allow httpd_sys_script_t clamd_var_lib_t:file { read getattr };
allow httpd_sys_script_t clamd_var_run_t:dir search;
allow httpd_sys_script_t clamd_var_run_t:sock_file write;
allow httpd_sys_script_t httpd_t:file read;

Now my apache PHP script can execute clamscan to check uploaded files for viruses.

Last updated: 14/07/2010