Back to All Scenarios
PASSEDserver / selinux_denial_blocking_app
SELinux Denial Blocking Application
SELinux enforcing mode blocks a newly deployed application from binding to its configured port and accessing its data directory. The application fails to start with permission denied errors, and the audit log fills with AVC denial messages.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 4 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
RHEL 9 server with SELinux enforcing. New application deployed to /opt/myapp. Application needs to bind to port 9090 and read from /data/myapp. SELinux policy does not include context for these paths. Application fails on startup with EACCES.
Injected Error Messages (1)
Application failed to start on rhel-custom-01 — SELinux AVC denial blocking bind to port 9090: avc: denied { name_bind } for pid=4521 comm='myapp' scontext=system_u:system_r:init_t, also denied read access to /data/myapp: avc: denied { read } for pid=4521, audit log shows 47 AVC denials in last 5 minutes, application cannot start under SELinux enforcing mode
Neural Engine Root Cause Analysis
The application 'myapp' (PID 4521) is failing to start due to SELinux enforcing mode blocking critical operations. SELinux is denying the application's ability to bind to port 9090 (name_bind permission) and read access to the /data/myapp directory. The application is running in the init_t context which doesn't have the necessary permissions for these operations, resulting in 47 AVC denials in 5 minutes and complete application startup failure.
Remediation Plan
1. Create custom SELinux policy module allowing init_t context to bind to port 9090 and read /data/myapp 2. Generate policy from audit logs using audit2allow 3. Compile and install the policy module 4. Alternatively, configure proper SELinux labels for the application and data directory 5. Restart the application service 6. Verify port binding and application startup 7. Monitor for additional AVC denials
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmncjz1r505taobqeaflnhej5