Technotes for future me


Managing SELinux

Verify SELinux statussestatus
SELinux modegetenforce
Change to enforcing modesetenforce 1
Change to permissive modesetenforce 0
Set individual domain permissivesemanage permissive -a httpd_t
Mappings between SELinux and Linux user accountssemanage login -l
SELinux context of filesls -Z /var/www/html/test.php
SELinux context of processesps -eZ
SELinux context associated with your userid -Z
Show all booleansgetsebool -a
Turn off booleansetsebool [boolean] 0
Turn on booleansetsebool [boolean] 1
Make boolean permanent`setsebool -P [boolean] [0
Change SELinux context for a desired folderchcon -t httpd_sys_content_t /var/www/html/index.html
Resets the original context of a directoryrestorecon -vR /var/www/html/

SELinux Troubleshooting

The SELinux Troubleshooting tool is provided by the setroubleshoot package.

sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt

Relabeling Files

Modifying security contexts in this manner will persist between system reboots but only until the modified portion of the filesystem is relabeled.

chcon -Rv --type=httpd_sys_content_t /html

To make the security context changes permanent, even through a complete filesystem relabel, we can use the SELinux Management Tool or the ‘semanage’ command from the command line:

semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?"

Restore Default Security Contexts

restorecon -Rv /var/www/html

Relabel Complete Filesystem

touch /.autorelabel

Allowing Access to a Port

semanage port -l
semanage port -a -t http_port_t -p tcp 81


Last updated on 31 Jan 2021
Published on 28 Mar 2020
Edit on GitHub