The decisions that SELinux makes about access are stored in the Access Vector Cache (AVC). If the auditing service (auditd) isn't running, SELinux logs AVC denial messages to /var/log/messages. Otherwise, the messages are logged to the /var/log/audit/audit.log file. If the setroubleshootd daemon is running, more readable versions of the denial messages are also written to /var/log/messages.

If you have installed the setroubleshoot and setroubleshoot-server packages, the auditd and setroubleshoot services are running. If you're using the X Window System, you can also use the sealert -b command to run the SELinux Alert Browser, which displays information about SELinux AVC denials. To view the details of the alert, select Show. To view a recommended solution, select Troubleshoot.

Use the ausearch tool to search the /var/log/audit/audit.log file, filtering for avc (Access Vector Cache) messages, which indicate SELinux denials:

sudo ausearch -m avc

The output of ausearch resembles the following:

type=AVC msg=audit(1688509311.123:345): avc:  denied  { read } for  
pid=1234 comm="nginx" name="index.html" dev="sda1" ino=56789 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

You can further filter by time, user, or executable if required. For example, the following command finds events in the last 10 minutes:

sudo ausearch -m avc -ts recent

The following example finds events involving a specific process:

sudo ausearch -m avc -exe /usr/sbin/httpd

The main causes of access-denial problems include the following:

• Context labels for an application or file are incorrect.

  A solution might be to change the default file type of the directory hierarchy. For example, change the default file type from /var/webcontent to httpd_sys_content_t:

  sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/webcontent(/.*)?"
  sudo /sbin/restorecon -R -v /var/webcontent

• A Boolean that configures a security policy for a service is set incorrectly.

  A solution might be to change the value of a Boolean. For example, let httpd access user home directories by turning on httpd_enable_homedirs:

  sudo setsebool -P httpd_enable_homedirs on

• A service is accessing a port to which a security policy prohibits access.

  If the service's use of the port is valid, a solution is to use semanage to add the port to the policy configuration. For example, to set the Apache HTTP server to listen on port 8000:

  sudo semanage port -a -t http_port_t -p tcp 8000

• An update to a package causes an application to behave in a way that breaks an existing security policy.

  audit2allow is a command line tool used in SELinux environments to help administrators create custom SELinux policy rules based on audit log entries of denied actions.

  You can use the following command to view the reason why an access denial occurred:

  sudo audit2allow -w -a

  When you see an SELinux denial, don't immediately use audit2allow to create a local policy module. First, check for any file labeling issues. Then, verify that there hasn't been a change in process configuration that hasn't been updated for SELinux. Start troubleshooting with these checks before considering policy changes.

  If you're satisfied that the denial isn't because of file labelling or process configuration problems, you can use the audit2allow tool to generate SELinux policy rules that enable the denied actions. Run the following command to create the required .te (type enforcement) and .pp (policy package) files:

  sudo audit2allow -a -M module

  You can then use the generated policy package file to stop the error from reoccurring by running the following command:

  sudo semodule -i module.pp

  Caution:

  This procedure is typically intended to make package updates function until an updated policy is available. If used incorrectly, you can create potential security holes in the system.