November 13th, 2006

setroubleshootd in action.

One of the big advancements, in SELinux is the introduction of the setroubleshooter. This is available for the first time in
Fedora Core 6 and Red Hat Enterprise Linux Beta 2.

The following is a mechanism to demonstrate how this tool works.

A common SELinux problem admins hit is a service being denied access to mislabeled files. For example, an admin may edit web files in his home directorys and them move (mv) them to the system's web directory to display them via Apache. SELinux does not allow Apache to display the page because the file is labeled with the security context of the users home directory and Apache is not allowed to read users homedirectory files. In order to demonstrate the setroubleshoot can simulate this by setting up the web server with an incorrect security context and trying to view the page.

# First make sure setroubleshoot and httpd are installed
> yum install setroubleshoot httpd
# Now change the security context on /var/www/html/index.html to a users home directory context
> chcon -t user_home_t /var/www/html/index.html
# Now start the two services
> service setroubleshoot start
> service httpd start
# Log in as a normal user, bring up firefox and goto http://localhost
# You should see a denial on firefox
# An icon should appear in the upper right hand corner indicating an SELinux Denial has occured
# Click on the icon for the troubleshoot to launch
# The troubleshooter will explain what has happened and explain how to fix the problem.

If you look at the /var/log/audit/audit.log you will see the complete SELinux message in all its gory details.

ausearch -m avc
time->Mon Nov 13 09:33:05 2006
type=AVC_PATH msg=audit(1163428385.431:226): path="/var/www/html/index.html"
type=SYSCALL msg=audit(1163428385.431:226): arch=40000003 syscall=196 success=no exit=-13 a0=9ed02c0 a1=bfccf98c a2=aa0ff4 a3=2008171 items=0 ppid=4094 pid=4098 auid=3267 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1163428385.431:226): avc: denied { getattr } for pid=4098 comm="httpd" name="index.html" dev=dm-0 ino=6260297 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

If you look in /var/log/messages you will see more of an explanation

Nov 13 09:31:57 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files (/var/www/html/index.html). See audit.log for complete SELinux messages. id = a3ad0690-dfb3-4077-9e51-5627f0bfb2db

The troubleshooter will have the complete description.