Hands-on guide to locate and fix SELinux denials using audit tools and minimal persistent changes. 05.02.2026 | reading time: 2 min SELinux can stop a perfectly configured service from accessing files without changing UNIX permissions; learn to locate denials, interpret audit messages, and apply minimal, persistent fixes so the service keeps running and the system stays secure. Reproduce and repair Scenario: a web application cannot write to /srv/uploads; run the commands below to reproduce, inspect, and apply a persistent fix: ``` sudo -u apache bash -c 'echo hello > /srv/uploads/test' 2>&1 # Output: bash: /srv/uploads/test: Permission denied ls -ldZ /srv/uploads # Output: drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /srv/uploads sudo ausearch -m avc -ts today | audit2why # Explanation: SELinux denied write for httpd to files labeled default_t # Quick temporary workaround (not for production) sudo setenforce 0 # Persistent fix: declare proper file context and apply it sudo semanage fcontext -a -t httpd_sys_rw_content_t '/srv/uploads(/.*)?' sudo restorecon -Rv /srv/uploads # Optional: create a local allow module if the denial is legitimate and no policy exists sudo ausearch -m avc -ts today | audit2allow -M mypol sudo semodule -i mypol.pp ``` What to watch next Check booleans and modes because sometimes enabling the right boolean avoids custom rules; `getsebool -a` shows settings and `setsebool -P` makes changes persistent, `chcon` is quick but nonpersistent, while `semanage fcontext` plus `restorecon` makes context fixes survive relabels and package updates. Tools that help Use `ausearch` to find AVC entries, `audit2why` to get human explanations, `audit2allow` to generate candidate policy, and `semanage`/`restorecon` to set and apply correct file contexts without resorting to disabling SELinux. Final steps Resolve the immediate denial with the least-permissive change, test the service under enforcing mode, and prefer file-context fixes or booleans over allow-modules unless you audit and accept the risk; deepen skill by practicing on real systems and consider exam objectives to formalize knowledge. Join Bits & Bytes Academy First class LINUX exam preparation. security troubleshooting filesystem utilities
