Troubleshooting SELinux Issues on CentOS and Red Hat
By default, SeLinux sets itself to enforcing which effectively blocks all the requests, but it can be altered to permissive which is kind of lenient towards user as it allows access, but logs any violated rules in its log file. nano /etc/selinux/config ‘set SELINUX to permissive or enforcing, SELINUXTYPE to default’ SELinux on CoreOS Container Linux. SELinux is a fine-grained access control mechanism integrated into Container Linux and rkt. Each container runs in its own independent SELinux context, increasing isolation between containers and providing another layer of protection should a container be compromised. I've compared the permissions and contexts to those of another system that allows ssh login without a password and they're the same. In the audit message there's no indication of what file selinux is concerned about, just "res=fail". In the system that works the log entry has this in it: subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 So, I'm Run the sealert tool, where /var/log/audit/audit.log is the location of your SELinux audit log: sealert -a /var/log/audit/audit.log The tool runs and generates a summary of error alerts and solutions.
CentOS 7 : SELinux : Search Logs : Server World
Security-Enhanced Linux in Android | Android Open Source May 05, 2020
Apr 29, 2019
SELinux Configuration and Rules | Celadon Security-Enhanced Linux is enabled in Android to enforce the Mandatory Access Control for security.SELinux supports two working modes: permissive and enforcing: In permissive mode, it only audits the operations of all domains and prints the AVC (Access Vector Cache) errors that violate the sepolicy rules, but it never blocks any operations.; In enforcing mode, it prints out the AVC errors and Dan Walsh's Blog — LiveJournal An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy is defined in the container-selinux package. By default containers run with the SELinux type "container_t" whether this is a container launched by just about any container engine like: podman, cri-o, docker, buildah, moby. linux - Why do we need SELinux? - Server Fault