SELinux Permission Denied — AVC Denied Errors and Troubleshooting
About SELinux Permission Denied
Fix SELinux AVC denied permission errors preventing applications from accessing files, ports, and resources on RHEL, CentOS, Fedora, and Rocky Linux. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: SELinux (Security-Enhanced Linux) enforces mandatory access control policies on top of standard file permissions. AVC (Access Vector Cache) denied messages appear in /var/log/audit/audit.log. SELinux modes: Enforcing (blocks violations), Permissive (logs only), Disabled. Contexts (labels) on files, ports, and processes must match the SELinux policy for access to be allowed. Common issue: files copied instead of moved lose their SELinux context labels. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: File has incorrect SELinux context label after being copied to a new location. Application using a non-standard port not labeled in SELinux policy. Custom application not covered by default SELinux policy modules. SELinux boolean not enabled for the feature the application needs. Container or VM escaping its expected SELinux domain. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check SELinux status: getenforce and sestatus. View AVC denials: ausearch -m AVC -ts recent or grep AVC /var/log/audit/audit.log. Fix file context: restorecon -Rv /path/to/directory to restore default labels. Set a custom context: semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'; restorecon -Rv /web. Allow a non-standard port: semanage port -a -t http_port_t -p tcp 8080. Generate a custom policy module: audit2allow -a -M mypolicy; semodule -i mypolicy.pp. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Should I just disable SELinux?
No. SELinux provides important security hardening. Use Permissive mode for debugging, then fix the policy. Disabling SELinux removes a significant security layer.
Overview
Fix SELinux AVC denied permission errors preventing applications from accessing files, ports, and resources on RHEL, CentOS, Fedora, and Rocky Linux.
Key Details
- SELinux (Security-Enhanced Linux) enforces mandatory access control policies on top of standard file permissions
- AVC (Access Vector Cache) denied messages appear in /var/log/audit/audit.log
- SELinux modes: Enforcing (blocks violations), Permissive (logs only), Disabled
- Contexts (labels) on files, ports, and processes must match the SELinux policy for access to be allowed
- Common issue: files copied instead of moved lose their SELinux context labels
Common Causes
- File has incorrect SELinux context label after being copied to a new location
- Application using a non-standard port not labeled in SELinux policy
- Custom application not covered by default SELinux policy modules
- SELinux boolean not enabled for the feature the application needs
- Container or VM escaping its expected SELinux domain
Steps
- 1Check SELinux status: getenforce and sestatus
- 2View AVC denials: ausearch -m AVC -ts recent or grep AVC /var/log/audit/audit.log
- 3Fix file context: restorecon -Rv /path/to/directory to restore default labels
- 4Set a custom context: semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'; restorecon -Rv /web
- 5Allow a non-standard port: semanage port -a -t http_port_t -p tcp 8080
- 6Generate a custom policy module: audit2allow -a -M mypolicy; semodule -i mypolicy.pp