Wednesday, August 19, 2015

Troubleshooting SELinux

As much as I hoped to make the greatest use of SELinux to secure my servers, I've typically dropped it into "permissive" mode after encountering cryptic security restrictions. I recently set up a basic Fedora server on Digital Ocean including SELinux and decided to try sticking it out with SELinux in full protection mode.

And as usual, I encountered a cryptic "failed to start" error while reconfiguring an Apache server. Thanks to a comment on one of the Fedora forums, I found a convenient tool, audit2why, to help decipher the error message. Piping the error output into audit2why (eg systemctl status httpd.service|audit2why), the tool actually gave me the specific command to adjust the setting in SELinux.

Now we can have peace of mind and peace of configuration too!