Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement.
In this article, I will show you how to configure selinux without turning it off.
The audit2allow utility gathers information from logs of denied operations and then generates SELinux policy allow rules.
Denial message and the associated system call are logged to the /var/log/audit/audit.log file:
type=AVC msg=audit(1582800535.799:670): avc: denied { read } for pid=13951 comm="nginx" name="index.html" dev="sda1" ino=263511 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=...
In my example I am getting the error “Access denied” and I am unable to open a website.
Install audit2allow utility
# dnf install setroubleshoot setools
Run audit2allow
# audit2allow -w -a type=AVC msg=audit(1582800535.799:670): avc: denied { read } for pid=13951 comm="nginx" name="index.html" dev="sda1" ino=263511 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones.
View the Type Enforcement rule that allows the denied access.
# audit2allow -a #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t http_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy allow httpd_t user_home_t:file { map open read };
Run the following command as root to create a custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory.
# audit2allow -a -M mycertwatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mycertwatch.pp
Install the policy package
# semodule -i mycertwatch.pp
Now I am able to open my website.