SELinux Permission Denied — AVC Denied Errors and Troubleshooting

Overview

Fix SELinux AVC denied permission errors preventing applications from accessing files, ports, and resources on RHEL, CentOS, Fedora, and Rocky Linux.

Key Details

• SELinux (Security-Enhanced Linux) enforces mandatory access control policies on top of standard file permissions
• AVC (Access Vector Cache) denied messages appear in /var/log/audit/audit.log
• SELinux modes: Enforcing (blocks violations), Permissive (logs only), Disabled
• Contexts (labels) on files, ports, and processes must match the SELinux policy for access to be allowed
• Common issue: files copied instead of moved lose their SELinux context labels

Common Causes

• File has incorrect SELinux context label after being copied to a new location
• Application using a non-standard port not labeled in SELinux policy
• Custom application not covered by default SELinux policy modules
• SELinux boolean not enabled for the feature the application needs
• Container or VM escaping its expected SELinux domain

Steps

1. 1Check SELinux status: getenforce and sestatus
2. 2View AVC denials: ausearch -m AVC -ts recent or grep AVC /var/log/audit/audit.log
3. 3Fix file context: restorecon -Rv /path/to/directory to restore default labels
4. 4Set a custom context: semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'; restorecon -Rv /web
5. 5Allow a non-standard port: semanage port -a -t http_port_t -p tcp 8080
6. 6Generate a custom policy module: audit2allow -a -M mypolicy; semodule -i mypolicy.pp

Tags

Related Items

More in Security

Frequently Asked Questions