SELinux
Managing SELinux
| Action | Command | |
|---|---|---|
| Verify SELinux status | sestatus | |
| SELinux mode | getenforce | |
| Change to enforcing mode | setenforce 1 | |
| Change to permissive mode | setenforce 0 | |
| Set individual domain permissive | semanage permissive -a httpd_t | |
| Mappings between SELinux and Linux user accounts | semanage login -l | |
| SELinux context of files | ls -Z /var/www/html/test.php | |
| SELinux context of processes | ps -eZ | |
| SELinux context associated with your user | id -Z | |
| Show all booleans | getsebool -a | |
| Turn off boolean | setsebool [boolean] 0 | |
| Turn on boolean | setsebool [boolean] 1 | |
| Make boolean permanent | `setsebool -P [boolean] [0 | 1]` |
| Change SELinux context for a desired folder | chcon -t httpd_sys_content_t /var/www/html/index.html | |
| Resets the original context of a directory | restorecon -vR /var/www/html/ | |
SELinux Troubleshooting
The SELinux Troubleshooting tool is provided by the setroubleshoot package.
sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt
Relabeling Files
Modifying security contexts in this manner will persist between system reboots but only until the modified portion of the filesystem is relabeled.
chcon -Rv --type=httpd_sys_content_t /html
To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:
semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?"
Restore Default Security Contexts
restorecon -Rv /var/www/html
Relabel Complete Filesystem
touch /.autorelabel
reboot
Allowing Access to a Port
semanage port -l
semanage port -a -t http_port_t -p tcp 81