SELinux is preventing from open access on the file

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux

Issue

  • Logs similar to below were noticed in the /var/log/messages file:
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing 'command' from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyzz
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyyy
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing /usr/bin/traceroute from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyyz

Resolution

  • Cross-check if access to the location mentioned in the error message is really required for the command/application.
  • Make sure that the right SELinux context is applied to the location.
  • Open a case with Red Hat support proactively for analysis.

Root Cause

  • Errors are simply indicating that some commands were not able to access files at the location because of different SELinux contexts.
  • Particular SELinux context should be present for access to files. If that particular SELinux context is not present and if some application tries to access files then these kinds of errors will be logged.
  • sealert command(at the end of the error) can give more details about the issue like 'current SELinux context(Target Context)' and 'required SELinux context(Source Context)'.

Diagnostic Steps

  • Errors similar to those below were noticed in the /var/log/messages file:
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing 'command' from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyzz
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing /usr/sbin/ip from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyyy
Jun 21 12:14:23 localhost setroubleshoot: SELinux is preventing /usr/bin/traceroute from open access on the file /abc/xyz/123/456. For complete SELinux messages run: sealert -l xxxx-yyyz
  • Need to execute sealert command given at the end of the error message for getting more details of the issue.
  • Fields like 'current selinux context(Target Context)' and 'required selinux context(Source Context)' should be checked.
  • Below is an example of a traceroute command-related error:
Source Context system_u:system_r:traceroute_t:s0
Target Context system_u:object_r:default_t:s0
Here, the current SELinux context is default_t and the required SELinux context is traceroute_t.
  • semanage fcontext command followed by restorecon can be used for setting the right SELinux context.
  • Alternatively, check out the "allow this access for now by executing" section of sealert command's output.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments