Sometimes a misconfiguration of SELinux can cause BoKS commands to fail or behave unexpectedly. Here you will find some tips to help troubleshoot such a condition.

SELinux logs are located in:

/var/log/audit/audit.log

Look for "=AVC" to show failures:

grep -i boks /var/log/audit/audit.log | grep "=AVC"

For example:

type=AVC msg=audit(1424892567.531:47598): avc: denied { search } for pid=1362351 comm="suexec" name="root" dev=dm-0 ino=912130 scontext=unconfined_u:unconfined_r:boks_suexec_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

To check SELinux mode:

# getenforce

If you need to see all SELinux activity without being blocked by it:

Set selinux to permissive mode:

# setenforce 0

Run the BoKS command again and see if it still fails. If it doesn't, then the problem is SELinux related.

Turn SELinux enforcement back on:
# setenforce 1

Check /var/log/audit/audit.log for AVC data to see if there was a BoKS file/command that triggered an AVC.

Use restorecon to fix file context via settings from the SELinux policy database:

# restorecon -v /opt/boksm/etc/ENV

To fix all BoKS files (in a BoKS shell):

BoKS# restorecon -Rv $BOKS_DIR $BOKS_var $BOKS_etc

To show the SELinux context of a file:
ls -Z [filename]

BoKS SELinux policy modules are installed when BoKS is installed. The modules are stored in:

/opt/boksm/install/selinux

and the sources are in /opt/boksm/install/selinux/src.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 28, 2019