Four common causes of SELinux warning

Four common causes of SELinux warning this article describes four causes of SELinux warning and solutions. Www.2cto.com cause 1: The core concept of SELinux is labeling, whether it is a file system, directory, File, file startup descriptor... four common causes of SELinux warning this article describes four causes of SELinux warning and solutions. Www.2cto.com cause 1: The core concept of SELinux is labeling, whether it is a file system, directory, File, file start descriptor, port, Message Interface or network interface, all tags are required and can only be executed according to the permissions granted by tags. Even if the running Apache process is hacked and the uid = 0 root permission is obtained, it still cannot access the files in a user's home directory. Because the Apache process marked as httpdt cannot access the content marked as userhome_t. Therefore, if there is a problem with the annotation, SELinux will bring up a warning. For more information about how to handle this problem, see the use of semanage fcontext and restorecon commands in the previous section. Of course, you can also follow the prompts in the graphical SELinux debugging tool. Cause 2: After years of development of custom program running settings, when SELinux has accumulated a large number of policy files, the default running requests of most applications are recorded, appropriate minimum permissions can be granted for execution. However, if you have customized some running configurations or have special application requirements, you need to adjust some SELinux settings. For most common custom requirements, SELinux adopts a Boolean value for control. For more information, see the use of the setsebool command in the previous section of this site. If you want to know all the adjustable SELinux boolean values, use the semanage boolean-l command. This can be solved through the graphical SELinux debugging tool, or through the graphical system-config-selinux. Cause 3: If the SELinux policy or application configuration is incorrect, if you do not modify the configuration but still receive the SELinux warning, the cause may be the SELinux policy or application itself. In this case, we recommend that you first submit an error report with the help of the SELinux debugging tool, and then handle it based on the situation. If the report has already been reported, the solution is usually detailed in the comments of the error report. If you want to ignore the SELinux warning and still run the application, you can set SELinux to the allowed mode, which only records warnings but does not stop running: setenforce 0. Set a single annotation process to the allowed mode instead of the entire system. for example, you only want to run Apache in the allowed mode: semange permissive-a httpd_t follow the recommendations of the SELinux debugging tool to create and load custom policies. The specific process varies depending on the situation. The SELinux debugging tool will provide detailed descriptions. Cause 4: The program has been intruded into SELinux, which is not an intrusion detection system. Currently, the SELinux debugging tool cannot actively detect intrusion attempts. However, when you find that the warning content contains the following features, it is very likely that the corresponding process has been cracked by hackers: try to disable SELinux (/etc/selinux) or set a Boolean value of SELinux. Try to load the kernel module, write the kernel directory, or boot image. Try to read the file marked by shadow_t, which usually contains encrypted account information. Try to overwrite the log file. Try to connect unnecessary random ports or email ports. The four common warning causes are described. we hope that you can handle SELinux alarms safely and effectively next time. By the way, the localization problem of most SELinux debugging tools has been solved. The children's shoes in Ora 18 can see the warning content in Fedora 18.