A quick reference for SELinux β mandatory access control for Linux. Bookmark this page.
Status and Modes
# Check current status
getenforce # Enforcing, Permissive, or Disabled
sestatus # Detailed status
# Change mode temporarily (until reboot)
sudo setenforce 1 # Enforcing
sudo setenforce 0 # Permissive
# Change mode permanently
sudo vi /etc/selinux/config
# Set: SELINUX=enforcingFile Contexts
# View file context
ls -Z /var/www/html/
ls -Zd /var/www/html/
# Restore default context
sudo restorecon -v /var/www/html/index.html
sudo restorecon -Rv /var/www/html/ # Recursive
# Change file context temporarily
sudo chcon -t httpd_sys_content_t /var/www/html/index.html
# Set default context permanently
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
sudo restorecon -Rv /srv/web/
# List all file context rules
sudo semanage fcontext -l | grep httpdBooleans
# List all booleans
getsebool -a
getsebool -a | grep httpd
# Check specific boolean
getsebool httpd_can_network_connect
# Set boolean temporarily
sudo setsebool httpd_can_network_connect on
# Set boolean permanently
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_network_connect_db onPort Contexts
# List port contexts
sudo semanage port -l
sudo semanage port -l | grep http
# Add custom port for a service
sudo semanage port -a -t http_port_t -p tcp 8443
sudo semanage port -a -t ssh_port_t -p tcp 2222
# Delete custom port mapping
sudo semanage port -d -t http_port_t -p tcp 8443Troubleshooting
# View denied actions in audit log
sudo ausearch -m AVC -ts recent
sudo ausearch -m AVC -ts today
# Human-readable denials
sudo sealert -a /var/log/audit/audit.log
# Generate policy module from denials
sudo ausearch -m AVC -ts recent | audit2allow -M mypolicy
sudo semodule -i mypolicy.pp
# Watch denials in real-time
sudo tail -f /var/log/audit/audit.log | grep AVCProcess Contexts
# View process context
ps -eZ | grep httpd
ps -eZ | grep nginx
# View user context
id -ZPolicy Modules
# List installed modules
sudo semodule -l
# Install custom module
sudo semodule -i mypolicy.pp
# Remove module
sudo semodule -r mypolicy
# Generate module from denials (quick fix)
sudo grep nginx /var/log/audit/audit.log | audit2allow -M nginx_custom
sudo semodule -i nginx_custom.ppCommon SELinux Types
| Type | Used For |
|---|---|
httpd_sys_content_t | Web server static content |
httpd_sys_rw_content_t | Web server writable content |
container_file_t | Container volumes (Podman/Docker) |
ssh_port_t | SSH ports |
http_port_t | HTTP/HTTPS ports |
user_home_t | User home directories |
var_log_t | Log files |
Tips and Tricks
- Never
setenforce 0in production β useaudit2allowto fix denials properly - Use
restorecon -Rvafter copying files to web directories - Use
:Zor:zvolume flags with Podman/Docker for SELinux labels - Check booleans first β most βSELinux blockingβ issues are a missing boolean
- Use
matchpathconto check expected context:matchpathcon /var/www/html
