liminfo

SELinux Reference

Free reference guide: SELinux Reference

41 results

About SELinux Reference

The SELinux Reference is a searchable cheat sheet covering all essential SELinux administration commands organized into eight categories: Mode (getenforce, setenforce, sestatus), Context (ls -Z, chcon, restorecon, semanage fcontext), Policy (semodule, sesearch, seinfo, audit2allow), Booleans (getsebool, setsebool), Modules, Ports (semanage port), Files (matchpathcon, fixfiles), and Troubleshooting (ausearch, sealert, audit2why).

Each command entry includes the syntax, a clear description of what it does, and practical examples showing real-world usage such as setting httpd_sys_content_t on custom web directories, enabling httpd_can_network_connect, adding custom port labels, and generating policy modules from AVC denial logs.

This reference is designed for Linux system administrators, DevOps engineers, and security professionals working with RHEL, CentOS, AlmaLinux, Rocky Linux, or Fedora systems where SELinux is enabled by default. All content runs locally in your browser with no server dependency.

Key Features

  • Complete mode management: getenforce, setenforce, sestatus, /etc/selinux/config, and kernel parameter reference
  • File context commands: ls -Z, chcon, restorecon, semanage fcontext with real httpd_sys_content_t examples
  • Policy tools: semodule, sesearch, seinfo, sepolicy, and audit2allow for custom rule generation
  • Boolean management: getsebool, setsebool -P with common httpd and network booleans documented
  • Port label administration: semanage port -a/-d/-m for adding custom ports like 8080 to http_port_t
  • Troubleshooting toolkit: ausearch -m avc, sealert, audit2why, setroubleshoot, and semodule -DB for debugging
  • Policy module lifecycle: checkmodule compilation, semodule_package, installation, and removal commands
  • Searchable across all 8 categories with dark mode and responsive mobile-friendly layout

Frequently Asked Questions

How do I check the current SELinux mode?

Run "getenforce" to see the current mode (Enforcing, Permissive, or Disabled). For more detailed information including the policy type, run "sestatus" which shows the SELinux status, loaded policy name, policy mode, and policy MLS/MCS status. The persistent configuration is stored in /etc/selinux/config.

How do I fix SELinux denying access to my web files?

First check the file context with "ls -Z /var/www/html/". If files have the wrong type, add a permanent rule: "semanage fcontext -a -t httpd_sys_content_t "/mysite(/.*)?"" then apply it with "restorecon -Rv /mysite". For writable directories, use httpd_sys_rw_content_t instead.

How do I allow Apache to connect to a network service?

Enable the httpd_can_network_connect boolean: "setsebool -P httpd_can_network_connect on". The -P flag makes it persistent across reboots. You can list all httpd-related booleans with "getsebool -a | grep httpd" to find other relevant permissions like httpd_can_network_connect_db for database connections.

How do I add a custom port to SELinux for my web server?

Use semanage port to add the port: "semanage port -a -t http_port_t -p tcp 8080". To verify, run "semanage port -l | grep http_port_t". If the port is already assigned to another type, use -m (modify) instead of -a (add). To remove a custom port label, use "semanage port -d -t http_port_t -p tcp 8080".

How do I create a custom SELinux policy module from AVC denials?

Filter the audit log for denials and generate a module: "grep denied /var/log/audit/audit.log | audit2allow -M myfix" then install it: "semodule -i myfix.pp". For more control, use audit2allow without -M to review the rules first, then manually compile with checkmodule and semodule_package.

How do I troubleshoot SELinux AVC denials?

Start with "ausearch -m avc -ts recent" to find recent denials. Pipe to "audit2why" for root cause analysis. Install setroubleshoot-server and run "sealert -a /var/log/audit/audit.log" for human-readable explanations with suggested fixes. For debugging hidden denials, temporarily disable dontaudit rules with "semodule -DB".

What is the difference between chcon and semanage fcontext?

chcon changes file context temporarily and will be reverted by restorecon or relabeling. semanage fcontext adds a permanent rule to the file context policy, so the context survives restorecon and relabeling. Always use "semanage fcontext -a -t type pattern" followed by "restorecon -Rv path" for persistent changes.

How do I permanently disable SELinux?

Edit /etc/selinux/config and set SELINUX=disabled, then reboot. Alternatively, add "selinux=0" as a kernel parameter with "grubby --update-kernel ALL --args selinux=0". Note that disabling SELinux is not recommended for production servers; consider using Permissive mode with "setenforce 0" for temporary troubleshooting instead.