Silent SELinux denies on CentOS

You do something, and it won’t work. In this example it’s Tomcat trying to delete a file. You already wrote an SELinux module to allow reads, but now you need to delete as well. So then you resort to the audit logs again. But there’s nothing in there. Then you put the tomcat_t domain under permissive mode with:

semanage permissive -a tomcat_t

Even verify it with:

semanage permissive -l

It’s there. And then deletes start to work. But you get no friggin’ denies in the audit log. WTF. Then you realize that silent denies are a thing. So you disable dontaudit rules, too:

semodule -DB

Nope, nothing, nada. So then you remove the explicit tomcat_t rule:

semanage permissive -d tomcat_t

Set SELinux altogether to permissive via /etc/selinux/config, and reboot. Tomcat can still delete. But this time you actually get the errors when checking with aureport -a (thanks, kslawko!) :

175. 11/08/2017 14:37:18 java system_u:system_r:tomcat_t:s0 87 dir remove_name system_u:object_r:cifs_t:s0 denied 191
176. 11/08/2017 14:37:18 java system_u:system_r:tomcat_t:s0 87 file unlink system_u:object_r:cifs_t:s0 denied 191

Wonderful. SELinux is bugged. When you get no denies, just switch the whole system to permissive. Noted.

Tags: , ,