Ask Your Question
3

SELinux- AVC denial

asked 2015-06-25 20:37:53 -0500

Tx gravatar image

I'm not a very knowlegable linux user, but am trying. Instead of just using my pc to get things done I'm now always having to read ALOT of stuff and trying to enter some sort of command line to get tasks accomplished. Now some THING called SELinux pops up messages saying this and that (ALL very confusing). This particular question is about something called AVC denial. What is it and how do I take care of it. I also have a question about a kernel, but not sure if I should ask it here. This all takes place on my Fedora21 box. Please help me understand this fascinating system for I am willing to learn. Thanx.................

edit retag flag offensive close merge delete

Comments

Can you please refine your question , otherwise see - https://docs.fedoraproject.org/en-US/...

bodhi.zazen gravatar imagebodhi.zazen ( 2015-06-25 21:55:46 -0500 )edit

SELinux is Security Enhanced Linux. You can probably find out more than you'd ever expect to need by checking Wikipedia. The AVC denials you're getting mean simply that some program is trying to do something that SELinux considers to be a potential security problem. The reports give you several options, but when in doubt, filing a bug report is always safe.

sideburns gravatar imagesideburns ( 2015-06-26 02:02:02 -0500 )edit
1

As you are interested to accomplish things from command line here are few commands that might help you to explore.

1)Check the contents of the file /etc/selinux/config

2)Play with getenforce,setenforce,getsebool,setsebool,semanage for troubleshooting.

3)Check the following log file after AVC denial.

/var/log/audit/audit.log

4)My most favourite command:

grep sealert /var/log/messages

It shows the alert id. You can use semanage on alert id to get more information.

5)Try issue Z to check the context of file,port and processes like.

ls -lZ

ps -auxZ

netstat -tulpinZ

krishnayeddula gravatar imagekrishnayeddula ( 2015-06-27 00:32:22 -0500 )edit

did you check the Fedora bugzilla bug list? Maybe your AVC denial is covered already. Of note are gnome-boxes/qemu and encrypted home folders usage without telling SELinux to use them.Occasionally some app just gets finicky and a denial pops up.We need to know what caused it.It should tell you.

shadowhh32 gravatar imageshadowhh32 ( 2015-06-27 23:05:26 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2015-06-27 23:47:04 -0500

It's always good to understand what you're dealing with instead of just looking for ways to disable things you don't understand. So thanks for a good question. SELinux - Security Enhanced Linux - is a Mandatory Access Control (MAC) layer which exists outside your software's own configuration. In short, it ensures a web-server only behaves like a web server, a database only does database things etc.

You can learn more about SELinux by following the links here: https://www.youtube.com/watch?v=bQqX3... . If you prefer to read: https://access.redhat.com/documentati... or the short version: https://en.wikipedia.org/wiki/Securit...

edit flag offensive delete link more

Comments

Talk from RH summit 2015: https://www.youtube.com/watch?v=cNoVg... :-)

masteroman gravatar imagemasteroman ( 2015-06-28 07:12:28 -0500 )edit

Question Tools

2 followers

Stats

Asked: 2015-06-25 20:37:53 -0500

Seen: 11,822 times

Last updated: Jun 27 '15