one more post about one more modern Linux system - SELinux. this system provide full and flexible differentiation of permissions for all users, files and services. unfortunately, the first action that nine tenths of engineers with SELinux does is disabling. the main reason of it is unclear behavior in case of denying access. so, when I figured out how to easily debug it, I decided to describe this as a reminder to myself and maybe for a helpful tip to strangers on this site. to determine the cause of deny some action try these few steps: for example, you have faced with error in your favorite script with enforcing SELinux.

  • sestatus #to identify actual status of SELinux.
  • setenforce 0 #to turn off enforcing
  • semodule -DB #turn on audit of all rules
  • now you should run your favorite script
  • audit2allow -a -m local #prepaire local policy from messages in audit.log file
  • vim ./local.te #check what exaclty rule can be a main reason and probably edit type enforcement file. please keep in your mind that SELinux does not deny authorized action. Its deny is sign that you probably do smth wrong)

and after that you can build and install your own politics module, which will grant access to your script

  • checkmodule -M -m -o local.mod local.te
  • semodule_package -o local.pp -m local.mod
  • semodule -i local.pp

and don’t forget to restore the state of SELinux

  • sestatus
  • setenforce 1
  • semodule -B