SELinux
Managing SELinux
| Action | Command |
|---|---|
| Verify SELinux status | sestatus |
| SELinux mode | getenforce |
| Change to enforcing mode | setenforce 1 |
| Change to permissive mode | setenforce 0 |
| Set individual domain permissive | semanage permissive -a httpd_t |
| Mappings between SELinux and Linux user accounts | semanage login -l |
| SELinux context of files | ls -Z /var/www/html/test.php |
| SELinux context of processes | ps -eZ |
| SELinux context associated with your user | id -Z |
| Show all booleans | getsebool -a |
| Turn off boolean | setsebool [boolean] 0 |
| Turn on boolean | setsebool [boolean] 1 |
| Make boolean permanent | `setsebool -P [boolean] [0 |
| Change SELinux context for a desired folder | chcon -t httpd_sys_content_t /var/www/html/index.html |
| Resets the original context of a directory | restorecon -vR /var/www/html/ |
SELinux Troubleshooting
The SELinux Troubleshooting tool is provided by the setroubleshoot package.
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt
Relabeling Files
Modifying security contexts in this manner will persist between system reboots but only until the modified portion of the filesystem is relabeled.
chcon -Rv --type=httpd_sys_content_t /html
To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:
semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?"
Restore Default Security Contexts
restorecon -Rv /var/www/html
Relabel Complete Filesystem
touch /.autorelabel
reboot
Allowing Access to a Port
semanage port -l
semanage port -a -t http_port_t -p tcp 81