8.2. Top Three Causes of Problems
The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules.
8.2.1. Labeling Problems
On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files.
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using
/var/www/html/for a website, an administrator wants to use
/srv/myweb/. On Red Hat Enterprise Linux 6, the
/srv/directory is labeled with the
var_ttype. Files and directories created and
/srv/inherit this type. Also, newly-created top-level directories (such as
/myserver/) may be labeled with the
default_ttype. SELinux prevents the Apache HTTP Server (
httpd) from accessing both of these types. To allow access, SELinux must know that the files in
/srv/myweb/are to be accessible to
semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
semanagecommand adds the context for the
/srv/myweb/directory (and all files and directories under it) to the SELinux file-context configuration. The
semanagecommand does not change the context. As the Linux root user, run the
restoreconcommand to apply the changes:
restorecon -R -v /srv/myweb
Refer to Section 5.6.2, “Persistent Changes: semanage fcontext” for further information about adding contexts to the file-context configuration.
220.127.116.11. What is the Correct Context?
matchpathconcommand checks the context of a file path and compares it to the default label for that path. The following example demonstrates using
matchpathconon a directory that contains incorrectly labeled files:
matchpathcon -V /var/www/html/*/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
In this example, the
page1.htmlfiles are labeled with the
user_home_ttype. This type is used for files in user home directories. Using the
mvcommand to move files from your home directory may result in files being labeled with the
user_home_ttype. This type should not exist outside of home directories. Use the
restoreconcommand to restore such files to their correct type:
restorecon -v /var/www/html/index.htmlrestorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
To restore the context for all files under a directory, use the
restorecon -R -v /var/www/html/restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
Refer to Section 5.9.3, “Checking the Default SELinux Context” for a more detailed example of
 Files in
/etc/selinux/targeted/contexts/files/define contexts for files and directories. Files in this directory are read by the
setfilescommands to restore files and directories to their default contexts.