Troubleshooting SELinux By Paul W. Frields

SELinux is one of the most powerful security features in your Fedora system. It’s like a valet key for your computer services, only allowing them to access approved data. SELinux has outgrown its early-days reputation for difficulty. Now it has tunable policy for most popular applications, and provides extra security and confidence. However, sometimes errors do occur, and this article will help you deal with them.


This article assumes two things:

  1. You know the basics of SELinux. If you haven’t learned basics of SELinux, now is a great time to do that. One of the best primers is this video by Thomas Cameron. Take the time to watch and understand it.
  2. You’re using SELinux in enforcing mode. The enforcing mode is the normal and expected way to run Fedora. If you’ve disabled SELinux, you’ll need to enable it. Edit the /etc/sysconfig/selinux file to set SELINUX=permissive. Using permissive mode first ensures that any radical problems can still be fixed automatically by the following commands. Then do the following:
    sudo fixfiles -F onboot

    The boot process may take longer than usual, since SELinux relabels any files created while it was disabled. This can take a while on very large file systems, so be patient.

Don’t be surprised if you start seeing errors after relabeling, if you’ve been running in disabled mode for a while. Running in disabled mode is like wallpapering over a leak. When you remove the wallpaper, you’re likely to find water damage. In the same way, if you’ve been running without SELinux enabled, you’ve probably created more problems that now need to be solved.

Once the machine has rebooted, you can switch to enforcing mode:

sudo setenforce 1

Is it really SELinux?

A good way to tell whether SELinux is at fault for an error is to set permissive mode. This means SELinux logs the error, but still allows the activity. To do this, run this command:

sudo setenforce 0

Then try the process again, in another terminal if needed. If it now succeeds, SELinux policy is fault. To find errors within the last 10 minutes, use the ausearch command:

sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent

If the process still fails while in permissive mode, the problem is likely not the SELinux policy. In that case, make sure to run sudo setenforce 1 to return to enforcing mode. Remember this setting is global, so you don’t want to leave off policy enforcement everywhere!

Identify the problem

You can generally identify SELinux errors through the AVC message. One of the parameters of the AVC message is the command that generated the message. For example, you might see comm=”/usr/sbin/httpd” in a message about an SELinux error generated by the Apache web server.

The problem will also tell you the source context (scontext) of the acting part of your system, and the target context (tcontext) of the thing it tried to act on. Often, but not always, the source is a binary and the target a file. To understand the error better, you can use the SELinux Troubleshooter. You can install this from the Software tool in Fedora Workstation, or use sudo with dnf in a terminal:

sudo dnf install setroubleshoot

To start the program, use the Overview in Fedora Workstation to locate the SELinux Troubleshooter, or run from a terminal:


You can find recent alerts in the browser that appears:

At this screen, for example, you can list all the alerts present on your system to troubleshoot them systematically.

Fixing the problem

When you select Troubleshoot you’ll see several options for your error.

In this case, the user created an index.html file in their home directory, and used the mv command to put it in /var/www/html/ to be served by the Apache web server. After pointing a web browser at http://localhost/index.html, this error occurred.

Notice how each choice gives you a specific set of commands you can run to fix the problem. In this case, there is a boolean switch you can enable to allow the activity in the future, even while SELinux is enforcing policy.

However, just because a boolean exists doesn’t mean you should enable it without understanding it. In this case, if you turn on the boolean, the Apache web server will be able to read any user content whose file permissions allow it. So in this case, we might instead want to ask, “Why does the file have that context?” In this case it’s because the user moved the file. That means the file carried its old context into its new location, rather than receiving a new default context that allows the web server to read content in /var/www/html.

In this case, the best idea is to simply restore the file’s correct context:

sudo restorecon -rv /var/www/html/index.html
Relabeled /var/www/html/index.html from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

A note about SELinux booleans

There are many booleans available. Each one allows you to set a broad class of access that may be expected for an application to function. To see the whole list and their current settings, run this command:

semanage boolean -l

If you install the selinux-policy-devel package first, you can also see a short description for each boolean when you run the command above:

SELinux boolean State Default Description

abrt_anon_write (off , off) Allow ABRT to modify public files used for public file transfer services.
abrt_handle_event (off , off) Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.
abrt_upload_watch_anon_write (on , on) Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.
antivirus_can_scan_system (off , off) Allow antivirus programs to read non security files on a system

To set a boolean temporarily, run this command, where boolname is the name of the boolean and value is either on or 1, or off or 0.

setsebool boolname=value

To set it permanently, add the -P switch:

setsebool -P boolname=value


There are other functions you can perform with the SELinux Troubleshooter, such as creating a specific policy module for your own system. You might find this SELinux guide helpful for understanding those functions.

Photo by Cristina Gottardi on Unsplash

Fedora 24 Update

I download F24 and now I will update my last configuration.

Please feel free to share your configurations for other Linux platforms. I can put a category for that purpose.

Thanks in advance for this 3.5K visits until today.

I’m back-

How to migrate IMSCore to Cloud

User Stories Here

Virtual IMS Core

Cross Project Spec – None

User Story Tracker – None

Problem description

Problem Definition

This use case is about deploying a virtual IMS core as an NFV function in OpenStack. It replaces the version previously uploaded to the TelcoWG repository [1].

An IMS core [2] is a key element of Telco infrastructure, handling VoIP device registration and call routing. Specifically, it provides SIP-based call control for voice and video as well as SIP based messaging apps.

An IMS core is mainly a compute application with modest demands on storage and network – it provides the control plane, not the media plane (packets typically travel point-to-point between the clients) so does not require high packet throughput rates and is reasonably resilient to jitter and latency.

As a core Telco service, the IMS core must be deployable as an HA service capable of meeting strict Service Level Agreements (SLA) with users. Here HA refers to the availability of the service for completing new call attempts, not for continuity of existing calls. As a control plane rather than media plane service the user experience of an IMS core failure is typically that audio continues uninterrupted but any actions requiring signalling (e.g. conferencing in a 3rd party) fail. However, it is not unusual for client to send periodic SIP “keep-alive” SIP pings during a call, and if the IMS core is not able to handle them the client may tear down the call.

An IMS core must be highly scalable, and as an NFV function it will be elastically scaled by an NFV orchestrator running on top of OpenStack. The requirements that such an orchestrator places on OpenStack are not addressed in this use case.


Although this user story is specifically about deploying the Project Clearwater virtual IMS core, it is more generally representative of the issues involved in deploying in OpenStack any scalable Telco-grade control plane Virtual Network Function (VNF) deployed as a series of load-balanced stateless N+k pools.

Use Cases

User Stories

  • As a communication service provider, I want to deploy a highly available, high scale, high performance virtual IMS core on OpenStack to provide my core Voice-over-IP service.

Usage Scenario Examples

Project Clearwater [3] is an open-source implementation of an IMS core designed to run in the cloud and be massively scalable. It provides P/I/S-CSCF functions together with a BGCF and an HSS cache, and includes a WebRTC gateway providing interworking between WebRTC & SIP clients.

Related User Stories



The problem statement above leads to the following requirements.

  • Compute applicationOpenStack already provides everything needed; in particular, there are no requirements for an accelerated data plane, nor for core pinning nor NUMA.
  • HAProject Clearwater itself implements HA at the application level, consisting of a series of load-balanced N+k pools with no single points of failure [4].

    To meet typical SLAs, it is necessary that the failure of any given host cannot take down more than k VMs in each N+k pool. More precisely, given that those pools are dynamically scaled, it is a requirement that at no time is there more than a certain proportion of any pool instantiated on the same host.

    That by itself is insufficient for offering an SLA, though: to be deployable in a single OpenStack cloud (even spread across availability zones or regions), the underlying cloud platform must be at least as reliable as the SLA demands. Those requirements will be addressed in a separate use case.

  • Elastic scalingAn NFV orchestrator must be able to rapidly launch or terminate new instances in response to applied load and service responsiveness. This is basic OpenStack nova function.
  • Placement zonesIn the IMS architecture there is a separation between access and core networks, with the P-CSCF component (Bono – see [4]) bridging the gap between the two. Although Project Clearwater does not yet support this, it would in future be desirable to support Bono being deployed in a DMZ-like placement zone, separate from the rest of the service in the main MZ.

External References

Rejected User Stories / Usage Scenarios



  • NFV – Networks Functions Virtualisation, see
  • IMS – IP Multimedia Subsystem
  • SIP – Session Initiation Protocol
  • P/I/S-CSCF – Proxy/Interrogating/Serving Call Session Control Function
  • BGCF – Breakout Gateway Control Function
  • HSS – Home Subscriber Server
  • WebRTC – Web Real-Time-Collaboration

[OpenIMSCore-Users] Issue with importing userdata.sql to my database

From maillist question:

Hi All,

I’m having a issue when I’m following OpenIMS installation guide. When I do below lines:

mysql -u root -p -h localhost < ser_ims/cfg/icscf.sql
mysql -u root -p -h localhost < FHoSS/scripts/hss_db.sql
mysql -u root -p -h localhost < FHoSS/scripts/userdata.sql

There is an error only for the last line, in my terminal, it’s showing:

ERROR 1136 (21S01) at line 41: Column count doesn’t match value count at row 1

The 41 line in the userdata.sql is:

LOCK TABLES application_server WRITE;
/!40000 ALTER TABLE application_server DISABLE KEYS /;
INSERT INTO application_server VALUES (1,’default_as’,’sip:‘,0,”,’’,1024,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
/!40000 ALTER TABLE application_server ENABLE KEYS /;

I’m a little despairing about this since I don’t know much about database.
My system is Ubuntu 14.04, I run it on VMware workstation.
I also attached the userdata.sql file, too.

Someone please help me.

Thanks in advance
Lin Zhu

Answer from Franz Edler

Hi Lin Zhu,

I can’t help due to lack of time, but I remember on a similar issue some times ago:

Or more recent:$ef309730$cd91c590$

Maybe that helps.

Otherwise you should learn some basics about MySQL and try to help yourself.

BR Franz