SELinux’s setroubleshoot install on a RHEL6 server

I am planning on using RHEL6 as a web server, primarily for my Mercurial/GIT repositories. This was to replace my current Fedora13 instance. After the initial minimal install, there were a couple of things missing. Mainly setroubleshoot and email notification on AVC denial.

During my F13 repository setup, I had to turn on a few SELinux booleans in order for HG to successfully serve my repositories. Apache was spitting out forbidden errors, and I suspected SELinux as the culprit. This was to be expected, however, unlike the F13 box there were no setroubleshoot messages in /var/log/messages. You know.. the ones with the friendly sealert -l [hash] and whatnot.

Everything was going to /var/log/audit/audit.log and written in a slightly less readable format. After going through Dan Walsh's blog, I noticed I was missing the setroubleshoot-* packages. In a server environment (no GUI) I only need to install setroubleshoot-server (and its deps) in order to get the descriptive SELinux audit messages.

Sample /var/log/audit/audit.log AVC denials:

[root@demon ~]# grep AVC /var/log/audit/audit.log
...
/var/log/audit/audit.log:type=AVC msg=audit(1292588343.092:3941): avc: denied { getattr } for pid=2295 comm="httpd" path="/home/hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
/var/log/audit/audit.log:type=AVC msg=audit(1292588361.410:3942): avc: denied { search } for pid=4945 comm="httpd" name="hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
/var/log/audit/audit.log:type=AVC msg=audit(1292588361.410:3943): avc: denied { getattr } for pid=4945 comm="httpd" path="/home/hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
...

So I went ahead and installed the setroubleshoot-server RPMs, but I was still not getting anything friendly in /var/log/messages.

By the way, if you want to generate some SELinux denials you can try this command:

[root@demon ~]# sandbox /usr/bin/perl -e '`cat /dev/urandom`'
cat: /dev/urandom: Permission denied  

The sandbox tool will run a binary in a paranoid domain, restricting it from accessing most objects in the system. Sandboxing is very cool and useful if you're running any web applications.

Starting with the Fedora 11 release, Dan Walsh made a few changes to setroubleshoot to make it less of a memory hog. This meant that setroubleshootd was obsolete and replaced by sedispatch. This new binary was to be called by /sbin/audispd, which is called by auditd as the dispatcher for AVC messages. SEdispatch would only start setroubleshootd if it was needed. If you try to run setroubleshootd manually, it will start, wait for about 10 seconds and exit with code 0.

To make sure sedispatch is functional you can do something like this:

[root@demon ~]# grep AVC /var/log/audit/audit.log | sedispatch
...
Got Reply: AVC  
Got Reply: AVC  
...
[root@demon ~]#

You should now see the setroubleshoot messages in /var/log/messages.

It turns out all I had to do to get setroubleshoot to work was to restart the auditd service to make sure it picked up the newly installed /etc/audisp/plugins.d/sedispatch.conf plugin.

Besides the newbie-friendly sealert database, setroubleshoot can also send email notifications when denials happen. This is a fairly straightforward process, however I did run into a couple of issues.

#selinux@freenode