LabEx
Log InJoin Free

Diagnose and Address SELinux Policy Violations

Red Hat Enterprise LinuxBeginner
Practice Now

Introduction

As a system administrator, you are responsible for maintaining the security of your Linux system. A key part of this is managing SELinux (Security-Enhanced Linux), a mandatory access control mechanism that enforces security policies. When a process attempts an action that violates a policy, SELinux denies the action and logs an Access Vector Cache (AVC) denial. In this challenge, you will learn how to diagnose and resolve a common SELinux policy violation using standard RHEL tools, a critical skill for the RHCSA exam.

Diagnose and Address SELinux Policy Violations

Scenario

A web server on your system is supposed to serve content from users' home directories (e.g., from a ~/public_html directory). However, users are reporting that their web pages are not accessible and are showing "Forbidden" errors. You suspect this is an SELinux issue. Your task is to investigate the SELinux logs, identify the policy violation, and apply the correct fix to allow the web server to function as intended.

Tasks

  • Investigate the system's audit logs to find recent SELinux AVC denials.
  • Analyze the denial message to understand what action was blocked and which SELinux boolean can resolve the issue.
  • Modify the appropriate SELinux boolean to permit the web server to access user home directories.
  • Ensure the policy change is persistent, so it survives a system reboot.

Requirements

  • All commands must be run as the labex user. Use sudo where administrative privileges are required.
  • The SELinux boolean you need to modify is httpd_enable_homedirs.
  • The change must be made persistent.

Hints

  • Use the ausearch command to query the audit logs. The -m avc option filters for AVC messages.
  • Pay close attention to the output of ausearch. It often contains suggestions from setroubleshoot on how to resolve the denial.
  • The setsebool command is used to change the value of an SELinux boolean. Use the -P flag to make the change persistent.
  • You can check the current value of a boolean with the getsebool command.

Summary

In this challenge, you have learned how to diagnose and address a routine SELinux policy violation. You practiced using ausearch to inspect the audit logs for AVC denials, interpreting the output to identify the root cause, and using setsebool -P to apply a persistent policy change. Mastering this workflow is essential for managing system security on RHEL and is a fundamental skill tested in the RHCSA exam.

✨ Check Solution and Practice
Related Red Hat Enterprise Linux Courses
Red Hat System Administration (RH124) Certification Labs

Red Hat System Administration (RH124) Certification Labs

rhellinux
Red Hat System Administration (RH134) Certification Labs

Red Hat System Administration (RH134) Certification Labs

rhellinux
Red Hat Enterprise Linux Automation with Ansible (RH294) Certification Labs

Red Hat Enterprise Linux Automation with Ansible (RH294) Certification Labs

rhelansiblelinux