LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What are the key concepts for troubleshooting SELinux problems?

Almost every SELinux problem is a labelling problem: a process is denied because a file/port has the wrong context (no rule connects them) or a needed boolean is off — so the fix is usually ls -Z + restorecon/setsebool, not disabling SELinux.

The model to hold in your head: policy rules are written as process-type + resource-label → allowed action, and no matching rule means denied, with every denial logged. So when something breaks under enforcing, you don't reach for the off switch — you ask "is the label right?" (check ls -Z, fix with restorecon) and "is there a boolean for this?" (getsebool). Wrong context on new, copied, or moved files is the single most common cause, because copying/moving can carry over a context that doesn't match the destination's rule. And remember SELinux is additional to DAC — standard rwx permissions must still allow the action too.

  1. SELinux uses targeted policies that explicitly define allowed actions
  2. A policy entry defines a labeled process and labeled resource interaction
  3. Labels specify process type and file/port context
  4. Policy defines process type + resource label + allowed action
  5. Actions can be syscalls, kernel functions, or programming routines
  6. No entry = denied - action blocked if not explicitly allowed
  7. Denied actions are logged with context information

Most common SELinux problem:

  • Wrong context on new, copied, or moved files

Troubleshooting approach:

  1. Check if file has correct context (ls -Z)
  2. Check if boolean needs to be enabled (getsebool)
  3. Review audit logs for denials

Remember: SELinux policies do not replace standard file permissions or ACLs - both must allow access!

From Quiz: LIOS / SELinux Security | Updated: Jun 20, 2026