SELinux entries in /var/log/messages

I had been noticing setroubleshootd frequently using a high percentage of the CPU's time on a CentOS Linux system when I run top. E.g.:

top - 21:26:35 up 227 days,  6:13, 27 users,  load average: 0.83, 0.90, 1.50
Tasks: 329 total,   3 running, 326 sleeping,   0 stopped,   0 zombie
%Cpu(s): 83.3 us, 16.5 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.2 si,  0.0 st
KiB Mem :  1875896 total,   177868 free,   495072 used,  1202956 buff/cache
KiB Swap:  2113532 total,   958752 free,  1154780 used.   951776 avail Mem

22725 apache    20   0   42332  10400   2172 R  95.0  0.6   0:03.93 blosxom
22727 root      20   0  263660  41572  10032 R  95.0  2.2   0:03.96 setroubles+
22720 root      20   0  146260   2164   1360 R   2.5  0.1   0:00.62 top
   13 root      20   0       0      0      0 S   0.9  0.0 641:26.32 rcu_sched
   15 root      20   0       0      0      0 S   0.6  0.0 216:15.71 rcuos/1
24450 root      20   0  396436   7712   5180 S   0.6  0.4   9:58.86 httpd
  418 root      20   0       0      0      0 S   0.3  0.0 107:26.61 xfsaild/dm+
  639 root      20   0       0      0      0 S   0.3  0.0 104:29.30 xfsaild/dm+
  657 root      16  -4  116708    496    316 S   0.3  0.0  45:09.63 auditd
  674 root      12  -8   80220    440    256 S   0.3  0.0  31:45.76 audispd
 1278 jim       20   0  142884   1100    820 S   0.3  0.1   0:28.74 sshd
    1 root      20   0  196044   9296   2808 S   0.0  0.5 147:49.67 systemd
    2 root      20   0       0      0      0 S   0.0  0.0   1:18.37 kthreadd
    3 root      20   0       0      0      0 S   0.0  0.0   3:11.27 ksoftirqd/0
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:+
    7 root      rt   0       0      0      0 S   0.0  0.0   7:26.68 migration/0
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh

The process shows up as setroubles+, i.e., setroubles with a plus sign at the end, because the full process name, setroubleshootd, can't be displayed in the 80 columns I have alloted for the terminal window.

I've also noticed hundreds of thousands of entries it has created in /var/log/messages related to SELinux issues. I had switched SELinux from "enforcing" mode to "permissive" mode on the system, due to web server application issues, so SELinux wasn't stopping applications from running, but issues are being logged. I finally decided that I at least needed to reduce the number of log entries being created substantially, which will, hopefully, improve the responsiveness of the server. I had fixed the SELinux issue for one application, CometChat recently, but I decided I needed to fix at least some of the issues for other sites on the system, also, related to the SELinux context for files under the public_html directory beneath user's home directories.

The semanage command is a SELinux Policy Management tool that, with the fcontext option, can be used to alter the security context for files and directories. You can get help information for the fcontext argument to semanage by issuing the command semanage fcontext --help

# semanage fcontext --help
usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r
 RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f FTYPE | -e EQU
AL ) FILE_SPEC ) | --deleteall  | --extract  | --list -C | --modify ( -t TYPE -f

positional arguments:
  file_spec             file_spec

optional arguments:
  -h, --help            show this help message and exit
  -C, --locallist       List fcontext local customizations
  -n, --noheading       Do not print heading when listing fcontext object
  -N, --noreload        Do not reload policy after commit
  -S STORE, --store STORE
                        Select an alternate SELinux Policy Store to manage
  -a, --add             Add a record of the fcontext object type
  -d, --delete          Delete a record of the fcontext object type
  -m, --modify          Modify a record of the fcontext object type
  -l, --list            List records of the fcontext object type
  -E, --extract         Extract customizable commands, for use within a
  -D, --deleteall       Remove all fcontext objects local customizations
  -e EQUAL, --equal EQUAL
                        Substitute target path with sourcepath when generating
                        default label. This is used with fcontext. Requires
                        source and target path arguments. The context labeling
                        for the target subtree is made equivalent to that
                        defined for the source.
  -f {a,f,d,c,b,s,l,p}, --ftype {a,f,d,c,b,s,l,p}
                        File Type. This is used with fcontext. Requires a file
                        type as shown in the mode field by ls, e.g. use -d to
                        match only directories or -- to match only regular
                        files. The following file type options can be passed:
                        -- (regular file),-d (directory),-c (character
                        device), -b (block device),-s (socket),-l (symbolic
                        link),-p (named pipe) If you do not specify a file
                        type, the file type will default to "all files".
  -s SEUSER, --seuser SEUSER
                        SELinux user name
  -t TYPE, --type TYPE  SELinux Type for the object
  -r RANGE, --range RANGE
                        MLS/MCS Security Range (MLS/MCS Systems only) SELinux
                        Range for SELinux login mapping defaults to the
                        SELinux user record range.

I entered two commands for each site similar to the ones below:

# semanage fcontext -a -t httpd_user_content_t "/home/jdoe/public_html/sitename(/.*)?"
# restorecon -R /home/jdoe/public_html/sitename

The -a option adds a record of the fcontext object type and the -t option specifies the SELinux type for the object; in this case I wanted to apply the context to every file in a website directory named sitename, whatever the site name was for that particular user, and all the files and directories beneath it. I used a type of httpd_user_content_t, because the files and directories to which the context was applied are user content to which the Apache web server running on the system should have access to server the files to website visitors. I then used the restorecon command with the -R option to recursively apply the change so it would survive a file system relabeling.

After making the above changes, I'm still occasionally seeing the CPU percentage listed for setroubleshootd when I run top up above 90% and the number of entries I see in /var/log/messages is still increasing, though I believe the rate of increase has slowed substantially. E.g., I currently see the following counts for entries in /var/log/messages for two sites:

# grep --count site1 /var/log/messages
# grep --count site2 /var/log/messages

So, I need to examine the logs again and try to become more familiar with the operation of SELinux in order to eliminate the remaining errors related to Apache web server access to files in those directories related to SELinux before I can consider switching back to SELinux's "enforcing" mode.


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px