How to Troubleshoot SELinux Policy Issues with a User-Friendly GUI
SELinux is a security subsystem on Rocky Linux that defines access controls for the applications, processes, and files. The system uses a set of rules (policies) that inform SELinux what can or can’t be accessed.
But SELinux can be a bit of a challenge, which often leads admins and users to either disable the feature or set it in permissive mode. This is not the best way to approach security, especially on a production system. Instead, it's always best to learn how to get the most out of the security of your system by leaving SELinux enabled and in enforcing mode.
With SELinux protecting your system, what do you do when trouble arises? If your Rocky Linux server includes a desktop environment (such as GNOME or KDE Plasma), there's a user-friendly GUI that can help save the day.
The GUI in question is called SELinux Troubleshooter. Essentially, what this application does is help you diagnose SELinux policy issues. SELinux Troubleshooter works by generating desktop notifications that are logged from Access Vector Cache denial messages.
For example, you're working on a Python application. The source process is /usr/bin/python3.9 and is requesting fowner capability. According to the capabilities man page, fowner is defined as:
"Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file, excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH."
That's great, but what do you do to resolve the issue? Well, you could generate a local policy module to allow the access, or you could grant it temporary access with the commands:
ausearch -c 'firewalld' —raw | audit2allow -M -my-firewalld
semodule -X 300 -i my-firewalld.pp
How in the world would you know to do that? Fortunately, that's where SELinux Troubleshooter comes in handy. Instead of offering a button to resolve the issue, this app makes suggestions, by way of commands. The app also keeps a running list of SELinux alerts, so you can comb through them and either delete or troubleshoot them.
With the help of SELinux Troubleshooter, you don't have to become an overnight expert. Instead, you can allow this app to give you a helping hand to resolve the SELinux-related issues that pop up on your system.
Before you can use this software, you must first install it. Here's how.
Installing SELinux Troubleshooter
SELinux Troubleshooter is not installed by default. To add it, open Software (GNOME) or Discover (KDE Plasma) and search for SELinux. Click the entry named SELinux Troubleshooter and then click Install. You will be prompted for your user's sudo password.
Once the tool is added, you can close the software store and then locate it in your desktop menu. For example, in the KDE Plasma menu, you'll find it in System Tools. Click the entry and you'll be greeted by the SELinux Alert Browser (Figure 1).
Figure 1
Here you see the first of 10 SELinux alerts that can be acted on.
Click through the alerts (using the Next button), until you find an alert you want to act on. Once you've found one, you can either click Notify Admin or Troubleshoot. To open the SELinux Troubleshooter, make sure the alert you want to work with is selected, and then click Troubleshoot. The window will expand to show two main sections (Figure 2):
-
If you were trying to… - this details what alerted SELinux to the issue.
-
Then this is the solution. - this offers possible commands you can run to resolve the problem.
Figure 2
The SELinux Troubleshooter is a much more efficient way to troubleshoot issues.
Alternatively, if you believe this is a bug, click Report Bug and then, when the bug report submission window opens, click Submit Report (Figure 3).
Figure 3
Only submit a report if you are certain the issue is a bug and not a configuration problem.
Chances are pretty good the commands suggested will solve the problem at hand. However, if there is an alert for a particular application and you're not experiencing any problems, click Ignore and the alert will be ignored in the future.
Two things to remember (especially if you're new to the command line), in the Then this is the solution section, you must run the commands with sudo (such as sudo ausearch -c 'firewalld' —raw | audit2allow -M -my-firewalld) and the # character denotes individual commands (and is not a part of the command itself). So, in our example above, we have the following output in the Then this is the solution section:
# ausearch -c 'firewalld' —raw | audit2allow -M -my-firewalld
# semodule -X 300 -i my-firewalld.pp
What you see above is two commands, which would be run, one at a time. The first command would be:
sudo ausearch -c 'firewalld' —raw | audit2allow -M -my-firewalld
The second command would be:
sudo semodule -X 300 -i my-firewalld.pp
And that is all there is to use the SELinux Troubleshooter app. If you are new to Rocky Linux and SELinux, you should consider this tool a must-have to help you get up to speed with how the security sub-system works. Of course, if you find SELinux Troubleshooter to be helpful, there's no reason why you should have to stop using it (unless you find yourself having to administer a Rocky Linux installation without a desktop environment).