Finding a Problem Caused by a Misconfiguration of SELinux and Troubleshooting the Issue

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

In this lab, you will be presented with inadequate SELinux configurations that are causing problems. Your job is to perform the correct reconfigurations so everything works properly for the given cases. The first problem involves a web server running that needs to be accessed through an atypical port not usually used by the web servers. SELinux, however, is not allowing you to do this. You need to figure out why, how it is doing this, and effect changes that will persist after reboots. There’s also another problem: The web server is not able to serve the proper files to the end user due to improper configuration. The idea is to be able to grant or revoke access with SELinux depending on the needs and problems you encounter. In order to troubleshoot problems with SELinux, you will need to access and analyze the log files, locate the problems, and then implement an adequate solution. You should not use the global SELinux permissive state for verification.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install Troubleshooting Tools

Install the troubleshooting tools:

sudo yum install -y setroubleshoot setools
Attempt to Start Apache Web Server on Port 9100. When It Fails, Find the Line in the Log Files Confirming SELinux Is the Core Issue.

Using grep

grep httpd /var/log/audit/audit.log

Using Both tail and grep

tail -n 100 /var/log/audit/audit.log | grep -i httpd

Using tail

tail -f /var/log/audit/audit.log 

Watch the Log in Real Time, in Another Terminal

sudo systemctl start httpd 

Using ausearch

sudo ausearch -p <process id>

Look at the Auditor

sudo grep httpd /var/log/audit/audit.log | audit2why
Find the Right Port Label for Apache Web Server and Add the Needed Port. Then Restart the Apache Web Server.
  1. List all the possible port labels and search the list for http:

    semanage port -l | grep -i http
  2. Add port 9100 to the http_port_t label:

    semanage port -m -t http_port_t -p tcp 9100
Find the Right SELinux Context for the `index.html` in `/var/www/html/` and Set It Permanently
  1. Create a file:

    sudo touch /var/www/html/test 
  2. View the context:

    ls -Z /var/www/html/
  3. Change the context of the file:

    semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
  4. Reset the security context:

    restorecon -v /var/www/html/index.html

Additional Resources

The lab conditions include:

  • sshd server is running on port 22.
  • Apache needs to run on port 9100.
  • Apache needs to serve a file index.html.

The overall lab objectives include:

  • Do not pub SELinux into permissive mode!
  • You can put an individual domain into permissive mode.
  • Analyze the logs and find the line that confirms SELinux is the problem.
  • Only when you have found the line that clearly shows SELinux is the problem should you act to solve the issue.
  • Port 9100 is a nonstandard port for Apache web server.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!