Why would SELinux block an action?

SELinux enforces mandatory access control. Wrong file context, port context, or policy can block access even when file permissions allow it. Check getenforce and AVC logs.

Can I fix SELinux blocking an action myself?

Yes. Fix context with chcon or restorecon. Fix port context with semanage. Temporarily set permissive to test. Revert to enforcing after fix.

When should I escalate SELinux blocking an action?

If you cannot run setenforce or semanage, the policy must be customized, or the system is managed by config management.

Search guides

Fix SELinux that blocks an action

We'll confirm SELinux is the cause, check AVC logs, fix context or policy, and test—or tell you when to escalate.

Category: Troubleshooting · Servers & Linux
Time: 15–30 min
Last reviewed: Mar 7, 2026

What you'll need

SSH or console access with root or sudo
policycoreutils-python-utils or policycoreutils-python (for semanage)

Quick triage — pick your path

Choose the option that matches what you see. You can jump straight to that section.

Follow this guide Work through the full procedure.
Check AVC logs You want to see what SELinux denied.
Fix file context The denial involves a file or directory.
Fix port context The denial involves a port.
When to escalate You cannot run setenforce or semanage.

Show full guide

Steps

Goal: Confirm SELinux is the cause, check logs, fix context, and test.

Run getenforce. If Enforcing, SELinux may block.
Good: Enforcing. Proceed to Check AVC logs.
Bad: Permissive or Disabled—check file permissions instead.

Check AVC logs

Goal: See what SELinux denied.

Run sudo ausearch -m avc -ts recent or journalctl | grep avc.
Good: You see a denial for your file, port, or process. Proceed to Fix file context or Fix port context.
Bad: No denial—try setenforce 0 to test.

Fix file context

Goal: Reset or set the correct context for files.

Run sudo restorecon -Rv /path/to/file. If that does not work: sudo chcon -t <type> /path/to/file (get type from ls -Z on a working file).
For persistence: sudo semanage fcontext -a -t <type> "/path(/.*)?" then restorecon.
Good: Context fixed. Retry the action.
Bad: Check port context if the action involves a port.

Fix port context

Goal: Allow the service to bind to the port.

Run sudo semanage port -a -t <type> -p tcp <port>. Get the type from semanage port -l.
Good: Port context added. Retry the action.
Bad: Check booleans with getsebool.

When to escalate

Escalate if:

You cannot run setenforce or semanage (permission denied).
The policy must be customized.
The system is managed by config management.

Provide getenforce, ausearch output, and the exact error.

Verification

The action succeeds after fixing context.
getenforce shows Enforcing (revert setenforce 0 if you used it).
No new AVC denials for your action in ausearch.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

Confirm SELinux getenforce; check AVC logs.
Fix context restorecon or chcon for files; semanage port for ports.
Test in permissive setenforce 0; retry; fix; setenforce 1.
Escalate Provide getenforce, ausearch, error.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

getenforce output
ausearch -m avc or journalctl grep avc
Steps already tried

Is SELinux enforcing?

Run getenforce.

Run `getenforce`. Enforcing: SELinux may block—check AVC logs. Permissive/Disabled: SELinux is not the cause—check file permissions (fix-linux-has-permission-denied).

Yes No

You can change your answer later.

Do AVC logs show a denial for your action?

ausearch -m avc -ts recent or journalctl | grep avc.

Run `sudo ausearch -m avc -ts recent`. Look for your file path, port, or process. Denial found: fix context (restorecon, chcon) or port (semanage port). No denial: try setenforce 0 to test.

Yes No

You can change your answer later.

Fix context or port

File: restorecon -Rv or chcon -t <type>. Port: semanage port -a -t <type> -p tcp <port>. Retry the action. If still blocked, setenforce 0 to test.

Done

Test in permissive

`sudo setenforce 0`. Retry the action. If it works, SELinux was the cause. Fix context or policy, then `sudo setenforce 1`.

Done

Check file permissions

SELinux is not enforcing. Check ls -la, chown, chmod. See fix-linux-has-permission-denied.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why would SELinux block an action?: SELinux enforces mandatory access control. Wrong file context, port context, or policy can block access even when file permissions allow it. Check getenforce and AVC logs.
Can I fix SELinux blocking an action myself?: Yes. Fix context with chcon or restorecon. Fix port context with semanage. Temporarily set permissive to test. Revert to enforcing after fix.
When should I escalate SELinux blocking an action?: If you cannot run setenforce or semanage, the policy must be customized, or the system is managed by config management.

Rate this guide

Was this helpful?

Step-by-step diagnostic

Quick triage — pick your path

Quick triage — pick your path

Steps

Check AVC logs

Fix file context

Fix port context

When to escalate

Verification

Escalation ladder

What to capture if you need help

Is SELinux enforcing?

Do AVC logs show a denial for your action?

Fix context or port

Test in permissive

Check file permissions

Frequently asked questions

Rate this guide

Continue to

You might also like