What are the key concepts for troubleshooting SELinux problems?
Almost every SELinux problem is a labelling problem: a process is denied because a file/port has the wrong context (no rule connects them) or a needed boolean is off — so the fix is usually ls -Z + restorecon/setsebool, not disabling SELinux.
The model to hold in your head: policy rules are written as process-type + resource-label → allowed action, and no matching rule means denied, with every denial logged. So when something breaks under enforcing, you don't reach for the off switch — you ask "is the label right?" (check ls -Z, fix with restorecon) and "is there a boolean for this?" (getsebool). Wrong context on new, copied, or moved files is the single most common cause, because copying/moving can carry over a context that doesn't match the destination's rule. And remember SELinux is additional to DAC — standard rwx permissions must still allow the action too.
- SELinux uses targeted policies that explicitly define allowed actions
- A policy entry defines a labeled process and labeled resource interaction
- Labels specify process type and file/port context
- Policy defines process type + resource label + allowed action
- Actions can be syscalls, kernel functions, or programming routines
- No entry = denied - action blocked if not explicitly allowed
- Denied actions are logged with context information
Most common SELinux problem:
- Wrong context on new, copied, or moved files
Troubleshooting approach:
- Check if file has correct context (
ls -Z) - Check if boolean needs to be enabled (
getsebool) - Review audit logs for denials
Remember: SELinux policies do not replace standard file permissions or ACLs - both must allow access!