Poprawiając polityki bezpieczeństwa natknąłem się na ciekawe narzędzie o nazwie setroubleshoot. Efekt pracy programu na przykładzie jednego komunikatu:
Summary: SELinux is preventing httpd (httpd_t) "name_bind" to "Unknown" (httpd_t). Detailed Description: SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:httpd_t Target Context system_u:object_r:httpd_t Target Objects None [ tcp_socket ] Source httpd Source Path /usr/sbin/httpd Port 80 Host "Unknown" Source RPM Packages httpd-2.2.3-43.el5.centos.3 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type strict MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name centos.server.localnet Platform Linux centos.server.localnet 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:09:10 EDT 2010 i686 i686 Alert Count 6 First Seen Fri Oct 1 21:31:40 2010 Last Seen Fri Oct 1 21:37:40 2010 Local ID b5f4e8ef-6325-4ccb-ae7f-c898462b77df Line Numbers 17, 18, 19, 20, 23, 24, 25, 26, 37, 38, 39, 40 Raw Audit Messages type=AVC msg=audit(1285961860.699:19487): avc: denied { name_bind } for pid=8616 comm="httpd" src=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1285961860.699:19487): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa2ec80 a2=186988 a3=8917858 items=0 ppid=8615 pid=8616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3181 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)