Even during our relatively brief journey of exploring SELinux, we used a handful of tools and means to inspect some of the internal workings of security policies and the access control between the subjects (users and processes) and objects (files). SELinux problems usually come down to action being denied, either between specific subjects or between a subject and some objects. SELinux-related issues are not always obvious or easy to troubleshoot, but knowing about the tools that can help is already a good start for tackling these problems.
Here are some of these tools, briefly explained:
- /var/log/messages: The log file containing SELinux access control traces and policy violations
- audit2allow: Generates SELinux policy rules from the log traces corresponding to denied operations
- audit2why: Provides user-friendly translations of SELinux audit messages of policy violations
- ausearch: Queries /var/log/messages for policy violations
- ls -Z: Lists filesystem objects with their corresponding SELinux context
- ps -Z: Lists processes with their corresponding SELinux context
- restorecon: Restores the default SELinux context for filesystem objects
- seinfo: Provides general information about SELinux security policies
- semanage: Manages and provides insight into SELinux policies
- semodule: Manages SELinux policy modules
- sepolicy: Inspects SELinux policies
- sesearch: Queries the SELinux policy database
For most of these tools, there is a corresponding system reference (such as man sesearch) that provides detailed information about using the tool. Beyond these tools, you can also explore the vast documentation SELinux has to offer. Here's how.
Accessing SELinux documentation
SELinux has extensive documentation, available as an RHEL/CentOS installable package or online at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index (for RHEL/CentOS 8).
The following command installs the SELinux documentation on RHEL/CentOS 8 systems:
sudo yum install -y selinux-policy-doc.noarch
You can browse a particular SELinux topic with (for example) the following command:
man -k selinux | grep httpd
SELinux is among the most established and highly customizable security frameworks in the Linux kernel. However, its relatively vast domain and inherent complexity may appear overwhelming for many. Sometimes, even for seasoned system administrators, the choice of a Linux distribution could hang in the balance based on the underlying security module. SELinux is mostly available on RHEL/CentOS platforms. More recent revisions of the Linux kernel are now moving away from SELinux while adopting a relatively lighter and more efficient security framework. The rising star on the horizon is AppArmor.