SELinux troubleshooting

Use the ausearch utility to find any recent Access Vector Cache (AVC) messages and confirm that SELinux denied the action:

ausearch -m AVC,USER_AVC -ts recent

(-ts recent returns AVC messages from the last 10 minutes, try -ts today if you need a longer window)

If you have setroubleshoot installed and running, then you can check its logs for more details about the violations:

journalctl -t setroubleshoot --since=-10m

This will also log command invocations for sealert to see even more details about specific actions.

Fixing incorrect SELinux labels

A common SELinux issue is files having incorrect labels, which frequently happens after moving/copying things from another system or location. Default labels can be corrected using restorecon. In its most basic form:

restorecon -v [file]
# Or recursively (-T 0 to run a thread per CPU core):
restorecon -Rv -T 0 [directory]

Alternatively, there’s also the sudo fixfiles onboot command which ensures the file system is relabeled on the next boot.

As restorecon requires a SELinux-enabled kernel to be running, which may not be the case when chrooted in from the outside, you can also use this to schedule a relabeling from within such an environment.

Disable SELinux enforcement

If SELinux has rendered a system completely unusable then booting with the selinux=0 kernel cmdline option will disable SELinux entirely.

This can also make a good diagnostic to determine whether SELinux is really the culprit when encountering issues.