The details about SELinux Denied Access will be in AVC. Bobcares, as a part of our Server Management Service offers solutions to every query that comes our way.

SELinux AVC: Denied or Allowed Access

When an attempt is made to “access” something, SELinux interrupts the process because the app was not found in the “trusted” list. Typically, apps are not allowed from accessing certain risky and specified places of the system, which causes SELinux to halt any reading, writing, or running from such locations.

The Access Vector Cache (AVC) holds the choices made by SELinux regarding what access to grant and deny. SELinux logs AVC denial messages to /var/log/messages while the auditing service (auditd) is not operating. We need to add the app to the “trusted zone” in the SELinux file. Thus we should rebuild the ROM after making those changes to avoid it.

How to Fix it?

We can get an analysis of why SELinux denied access, and a possible solution to fix the issue if we are using an X Window System. This is because the error message prompt will have a “Show” option for this purpose. However, it is not same when we aren’t using the X Window system.

In such cases, if DAC rules allow access, we can check /var/log/messages and /var/log/audit/audit.log for “SELinux is preventing” and “denied” errors respectively. So, we must run the following commands as the Linux root user:

The first place to look for further details about a denial is the /var/log/audit/audit.log file when SELinux blocks the situation. The ausearch tool can be used to query audit logs. Use the AVC and USER_AVC values for the message type parameter since SELinux decisions, such as granting or refusing access, are cached and are stored in the AVC.

Verify that the Audit daemon is operating if no matches are found. If not, examine the Audit log once more and try the denied case after starting auditd.

If auditd is running and the output of ausearch shows no matches, review the systemd Journal’s messages:

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, when SELinux shows an Denied Access message, we can check the AVC and can take the necessary troubleshooting steps.