# SELinux Troubleshooting

## SELinux Modes

```bash
# Check current mode
getenforce

# Temporarily change mode (until reboot)
setenforce 0  # permissive
setenforce 1  # enforcing

# Permanent change: edit /etc/selinux/config
SELINUX=enforcing|permissive|disabled
```

## Viewing SELinux Denials

### Audit Log

```bash
# Search for AVC denials
ausearch -m avc -ts recent
ausearch -m avc -ts today
ausearch -m avc -c httpd  # by command

# Human-readable output
ausearch -m avc -ts recent --interpret
```

### Journal

```bash
# View setroubleshoot messages
journalctl -t setroubleshoot

# Detailed analysis
sealert -l <uuid>
sealert -a /var/log/audit/audit.log
```

## File Contexts

### View Contexts

```bash
# Show file context
ls -Z /path/to/file
ls -dZ /path/to/dir

# List all fcontext rules
semanage fcontext --list

# Search for specific path
semanage fcontext --list | grep '/var/www'
```

### Set File Context

```bash
# Add permanent context rule
semanage fcontext -a -t httpd_sys_content_t '/mysites/www(/.*)?'

# Apply context from database
restorecon -Rv /mysites/www

# Temporary context change (lost on relabel)
chcon -t httpd_sys_content_t /path/to/file
```

### Common File Types

| Type | Purpose |
|------|---------|
| `httpd_sys_content_t` | Web server read-only content |
| `httpd_sys_rw_content_t` | Web server writable content |
| `mysqld_db_t` | MySQL/MariaDB data files |
| `samba_share_t` | Samba shares |
| `user_home_t` | User home directories |
| `etc_t` | Configuration files |
| `var_log_t` | Log files |

## Port Contexts

```bash
# List all port labels
semanage port --list

# Search for specific port
semanage port --list | grep http

# Add port label
semanage port -a -t http_port_t -p tcp 8080

# Modify existing port label
semanage port -m -t http_port_t -p tcp 8080

# Delete port label
semanage port -d -t http_port_t -p tcp 8080
```

## Booleans

```bash
# List all booleans
getsebool -a

# List with descriptions
semanage boolean --list

# Search for specific boolean
getsebool -a | grep httpd

# Set boolean (temporary)
setsebool httpd_can_network_connect on

# Set boolean (persistent)
setsebool -P httpd_can_network_connect on
```

### Common Booleans

| Boolean | Purpose |
|---------|---------|
| `httpd_can_network_connect` | httpd connects to network |
| `httpd_can_network_connect_db` | httpd connects to databases |
| `httpd_enable_homedirs` | httpd serves home directories |
| `httpd_use_nfs` | httpd uses NFS |
| `samba_enable_home_dirs` | Samba serves home directories |
| `ftpd_full_access` | FTP full filesystem access |

## Policy Investigation

```bash
# Install tools
yum install setools-console

# List all types
seinfo -t

# Show type details
seinfo -t httpd_sys_content_t

# List all booleans
seinfo -b

# Find port type for a port
seinfo --portcon=443

# Search policy rules
sesearch --allow -s httpd_t -t httpd_sys_content_t

# Show rules enabled by boolean
sesearch --allow -b httpd_can_network_connect
```

## dontaudit Rules

```bash
# List dontaudit rules
sesearch --dontaudit

# Disable all dontaudit (for debugging)
semanage dontaudit off

# Re-enable dontaudit
semanage dontaudit on
```

## Relabeling

```bash
# Relabel single file/directory
restorecon -Rv /path

# Force full system relabel on next boot
touch /.autorelabel
reboot

# Relabel without reboot (time consuming)
fixfiles -F onboot
```

## Common SELinux Issues

| Issue | Diagnosis | Fix |
|-------|-----------|-----|
| Wrong file context | `ls -Z`, `ausearch -m avc` | `semanage fcontext` + `restorecon` |
| Non-standard port | `ausearch -m avc` shows port bind | `semanage port -a` |
| Boolean not set | `getsebool` | `setsebool -P` |
| Disabled to enforcing | Many unlabeled files | Full relabel |

## Troubleshooting Workflow

1. **Check SELinux status**: `getenforce`
2. **Search for denials**: `ausearch -m avc -ts recent`
3. **Get detailed info**: `sealert -a /var/log/audit/audit.log`
4. **Identify issue type**:
   - File context: `ls -Z`, fix with `semanage fcontext` + `restorecon`
   - Port: fix with `semanage port`
   - Boolean: fix with `setsebool -P`
5. **Test fix**: restart service, retry action
6. **Verify**: `ausearch -m avc -ts recent` shows no new denials

## Quick Fixes

```bash
# Fix file context for web content
semanage fcontext -a -t httpd_sys_content_t '/mysite(/.*)?'
restorecon -Rv /mysite

# Add custom HTTP port
semanage port -a -t http_port_t -p tcp 8080

# Allow httpd network connections
setsebool -P httpd_can_network_connect on

# Fix after copying files (preserves wrong context)
restorecon -Rv /var/www/html
```