All HowTo's Cyber-Security Linux Redhat, Fedora and CentOS Linux Web Servers

Get SELinux to tell you the reason for access errors – Redhat/CentOS

This article shows how to get SELinux to tell you the solution to access issues. For example, if your PHP script is no longer sending emails because SELinux is stopping it, you can get suggestions from SELinux on how to resolve the issue.

For this example, we’ll fix the php/apache sendmail issue.

Install the required components:

yum install setroubleshoot setools

The logs for SELinux can be large and the grow fast. So we want to get just what we want:

tail -f /var/log/audit/audit.log | grep sendmail > /tmp/sendmail.selog

With the above running, i execute the php script that it causing me the trouble. The above command will capture the event and put it in my temporary log file “/tmp/sendmail.selog”.

This is the output i got:

# sealert -a /tmp/sendmail.selog 

…will output something like the following:

100% donefound 1 alerts in /tmp/sendmail.selog
-----------------------------------------------

SELinux is preventing /usr/sbin/sendmail.sendmail from search access on the directory clientmqueue.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sendmail.sendmail should be allowed search access on the clientmqueue directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

The last two lines are the solution to the problem. I execute them one at a time and the problem is solved.

Leave a Reply

Your email address will not be published. Required fields are marked *