Troubleshooting SELinux: Reading and Fixing AVC Denials

When SELinux blocks an action, it tells you exactly what was denied in an AVC record. The fastest path to a safe fix is reading that evidence first, then applying the smallest change that solves the real policy mismatch.

Table of Contents

This post gives you a practical AVC troubleshooting workflow you can apply in production.

Understand the Signal

Apply a Safe Workflow

Series Navigation

What an AVC denial contains

An AVC record captures the denied permission, the source process context, the target object context, and the object class. Those fields tell you whether the issue is labeling, policy intent, or an unexpected behavior change.

Typical AVC fields you should parse:

  • scontext is the source process context that requested access
  • tcontext is the target object context that access was attempted against
  • tclass describes object class such as file, dir, tcp_socket, or process
  • { read } or { name_bind } indicates the exact denied permission set

Where to collect AVC evidence

On most RHEL-family systems, audit logs are the primary source. Pull recent denials first, then narrow to a service or timeframe.

sudo ausearch -m avc -ts recent
sudo ausearch -m avc -c httpd -ts today
sudo ausearch -m avc -ts recent -i

If auditd is integrated with journal, you can also inspect journal output for related service failures.

sudo journalctl -t setroubleshoot --since "1 hour ago"
sudo journalctl -u httpd --since "1 hour ago"

sealert can help with guided interpretation when setroubleshoot-server is installed.

sudo sealert -a /var/log/audit/audit.log

Use audit2why to classify denials

audit2why explains denial patterns and can hint at whether a boolean, relabel, or policy extension is needed.

sudo ausearch -m avc -ts recent | audit2why

Treat this as an analysis aid, not an automatic fixer.

A repeatable AVC troubleshooting workflow

Use the same sequence for each incident to avoid guesswork:

  1. Reproduce the failure with timestamps captured
  2. Pull AVC records for the exact failure window
  3. Compare scontext and tcontext to expected labels
  4. Classify root cause as label mismatch, boolean requirement, or policy gap
  5. Apply the smallest durable fix and retest in enforcing mode
  6. Confirm no new AVCs are generated for the target action

For borderline cases, temporary permissive mode for one troubleshooting cycle can isolate whether SELinux is the blocker, but return to enforcing immediately after evidence collection.

sudo setenforce 0
# reproduce once for diagnostics
sudo setenforce 1

Common root causes and targeted fixes

Most AVC issues come from a small set of repeat offenders.

Wrong file type after copy or deployment

Application files copied without preserving context often land with generic types.

sudo restorecon -Rv /var/www/html
sudo restorecon -Rv /srv/myapp

Missing persistent path mapping

Custom directories need semanage fcontext mappings before restorecon can apply the desired type.

sudo semanage fcontext -a -t httpd_sys_content_t '/srv/myapp(/.*)?'
sudo restorecon -Rv /srv/myapp

Port type mismatch

Services on non-default ports need SELinux port labeling updates.

sudo semanage port -l | grep http_port_t
sudo semanage port -a -t http_port_t -p tcp 8443

Boolean needed for expected behavior

If policy supports behavior behind a toggle, set the specific boolean.

getsebool -a | grep httpd
sudo setsebool -P httpd_can_network_connect on

Anti-patterns that create long-term risk

These shortcuts make systems harder to secure and debug over time.

  • Leaving hosts in permissive mode after troubleshooting
  • Disabling SELinux globally to clear one application issue
  • Installing unreviewed audit2allow output directly into production
  • Using broad local rules before confirming labels and booleans

Series navigation

Now that you can read AVC evidence and choose targeted fixes, the next step is writing and maintaining local policy modules when built-in policy controls are not enough.

Next in this series

Next, we cover semanage fcontext, semanage port, audit2allow -M, and minimal custom module authoring so you can solve complex cases safely.