Skip to content

Grading Checklist

  • Confirms SELinux is in enforcing mode with getenforce or sestatus.
  • Checks the audit log for AVC denials: ausearch -m AVC -ts recent or grep AVC /var/log/audit/audit.log.
  • Identifies the specific SELinux denial: the binary has the wrong file context (e.g., default_t instead of bin_t).
  • Uses ls -lZ to inspect the SELinux context on the binary and directories.
  • Explains SELinux file contexts: type enforcement means the process domain must be allowed to execute files with the binary's type.
  • Uses audit2why to translate AVC denials into human-readable explanations.
  • Fixes the file context using semanage fcontext and restorecon.
  • Does NOT recommend disabling SELinux (setenforce 0) as the permanent fix.
  • Mentions audit2allow for generating custom policy modules if needed, with appropriate warnings.
  • Checks if the service needs to bind to a non-standard port and uses semanage port if so.
  • Recommends testing in permissive mode first with semanage permissive -a <domain> to collect all denials before fixing.
  • Notes that files copied or created in non-standard paths inherit the parent directory's context, not the default policy context.