How To Troubleshoot SELinux with Audit Logs

SELinux posts/) SELinux

Audit Logs with SELinux Messags I’m post configuring a new RHEL 8 setup on my old PC and want to share some useful SELinux troubleshooting techniques.

How To Check Audit Logs for SELinux

I had a problem with SSH not accepting keys for login. Specifically, I wanted the keys to be in a non-standard /var/ssh/greys/authorized_keys location (instead of my homedir), but SSH daemon would just ignore this file.

I double checked permissions, restarted SSHd and eventuall realised that the issue must have been due to SELinux. So I went to inspect the audit logs.

Red Hat Enterprise Linux puts audit logs into /var/log/audit directory. If you’re looking for SELinux issues, just grep for denied – it will show you everything that has recently been blocked:

root@rhel8:~ # grep denied /var/log/audit/*
type=AVC msg=audit(1567799177.932:3031): avc:  denied  { read } for  pid=24527 comm="sshd" name="authorized_keys" dev="dm-11" ino=26047253 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
 type=AVC msg=audit(1567799177.943:3033): avc:  denied  { read } for  pid=24527 comm="sshd" name="authorized_keys" dev="dm-11" ino=26047253 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
 type=AVC msg=audit(1567799177.956:3035): avc:  denied  { read } for  pid=24527 comm="sshd" name="authorized_keys" dev="dm-11" ino=26047253 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0

I also highlighted the likely problem: SSH daemon is running under sshd_t context, but files in /var/ssh/ directories inherited standard var_t context.

Just to be sure, I checked the context on the default /home/greys/.ssh/authorized_keys file:

root@rhel8:~ # ls -alZ /home/greys/.ssh/authorized_keys 
 -rw-------. 1 greys greys unconfined_u:object_r:ssh_home_t:s0 95 Sep  6 20:28 /home/greys/.ssh/authorized_keys

That’s the answer! We need to change /var/ssh/greys/authorized_keys file to the ssh_home_t context.

Updating SELinux context for a file

First, let’s change the SELinux context:

root@rhel8:~ # semanage fcontext -a -t ssh_home_t /var/ssh/greys/authorized_keys

… and now we relabel the actual file:

root@rhel8:~ # restorecon -Rv /var/ssh/greys/authorized_keys
Relabeled /var/ssh/greys/authorized_keys from system_u:object_r:var_t:s0 to system_u:object_r:ssh_home_t:s0

That’s it – after that my logins using SSH keys started working just fine. Hope you find this example useful!

See Also

  • Confirm Current SELinux Mode
  • SELinux
  • How To Disable SELinux
  • How To: List SELinux Contexts for Files
  • Where To Learn More About SELinux



Keep Learning with Me

Follow me on Facebook and Twitter or jump into Telegram chat!:
I'm using Brave browser
Give it a try, it's awesome: Brave Browser
IT Consultancy
I'm a principal consultant with Tech Stack Solutions. I help with cloud architectrure, AWS deployments and automated management of Unix/Linux infrastructure. Get in touch!
Recent Articles
28 May 2020

Raspberry Pi 4 8GB

19 May 2020

Grafana 7.0 Released

13 May 2020

OpenIndiana 2020.04 Released

Recent Tweets