At this point in the development of SELinux, it’s common for policies to contain small bugs that cause operations to fail when applications or programs are used in unusual ways unanticipated by policy developers. As an SELinux administrator, one of the most frequent SELinux policy customizations you’re likely to perform is adding permissions to coax the security engine into accepting an operation. Let’s consider an actual situation based on Fedora Core 2’s SELinux implementation and see how it’s resolved. The procedure we’ll follow isn’t the only procedure or best procedure. Creating new policies typically entails a generous dollop of troubleshooting, which tends to be relatively unstructured. So rather than see our procedure as the universal norm, you should see it as merely an illustrative example.

Though unfamiliar to many, the Nmap program is a popular tool among those concerned with security that provides many useful functions. For instance, using Nmap, you can determine the ports on which a network host is listening and what service is running on each open port.

Suppose you install and run Nmap and obtain the following error message:

# nmap -sT 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 17:23 UTC
Unable to find nmap-services!  Resorting to /etc/services

It seems that Nmap is unable to read the nmap-services file. Checking the system log, you find that SELinux recently logged eight denial messages:

avc: denied { read } for pid=8682 ...