So you execute a script and get a “Permission denied” and you know you have enabled SELinux. OK to disable the selinux is not an option (and never will be), so the first thing to check is the audit log to see what is the error and what the selinux tools will offer to solve it.
But there are no entries in the audit log when you execute your script!
So you decide to temporarily disable the selinux to check if this permission denied issues is still caused by it with:
And the script just executes fine no error! Then again you put back the Enforcing with:
setenforce 1 ./myscript Permission Denied
And NO added lines in audit.log (/var/log/audit/audit.log in our system!). Apparently the logging is just fine, because it got sometime entries, but when executing our script, which is just a simple:
After some research it appeared that
not all AVC denials may be logged when SELinux denies access.
Too many applications and system libraries check for permissions, which might not use or even need after that and the logging could grow exponentially or be less informative for the real cause of a problem!
Keep on reading!