The policy can be found at
which is also symlinked to
SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - No SELinux policy is loaded. SELINUXTYPE= can take one of three values: targeted - Targeted processes are protected, minimum - Modification of targeted policy. Only selected processes are protected. mls - Multi Level Security protection.
It can also be seen via
The current mode can be viewed using
Files, Ports etc are labelled with an SELinux context. for files and directories, extended attrs are used to store these labels while kernel manages the labels for processes and such.
They are of the format
user above is the selinux user and is different from the normal linux
type can be used for basic usecases
selinux adds the
-Z option to several commands to view the labels associated
with the associated resources. A few of them are:
The types in the labels are usually related for resources that belong together.
Eg. for apache, the following types are observed:
httpd_config_tfor its config directory
httpd_log_tfor its log directory
httpd_sys_content_tfor the webroot
httpd_initrc_exec_tfor the init script
httpd_tfor the process
Type enforcement is the part of the policy that says, for instance, “a process running with the label httpd_t can have read access to a file labeled httpd_config_t"
restorecon may be used to change the context of a file
When a file is created, it inherits the context of its parent (wiht a few exceptions)
The login process sets the default context, which is unconfined for the
File transitions (defined by policy) may be set such that if an application foo_t creates a file in a directory labeled bar_t, it ges the baz_t label.
getsebool -ashows all booleans available
setsebool <boolean_name> <0|1>to set the boolean temporarily
- use the
-Pargument with it to make the change persistent
- use the
setroubleshoot-serveron machines used to develop policy modules. Reboot or restart auditd afterwards. This will make the logs in
The SELinux logs tells you what to do in most cases
A good place to check for currently actiove booleans is the
Note: editing this file will not change anything.
Modifying policies using
setsebool or other commands regenerates the
/etc/selinux/targeted directory. So sont bother changing anything in there.
man chcon so see how to change the labels.
Usually to change just the type, use
chcon -t my_type_t /path/to/file
Or even just use
chcon --reference /known/good/file /path/to/target/fileto
use the refernce file's security context
Or maybe you just need to restore the context to its defaults. In this case, use
restorecon -vR /path/to/file
-vis for verbose
- read man btw
restoreconuses information from the
/etc/selinux/targeted/contexts/files/file_contexts(*)files to determine what a file or directory's context should be
to add a new default context to be used, we use
semanage fcontext -a -t my_type_t "/foo(/.*)?"
fcontext: for file context
semanage fcontext -a -e /known/good/file/ /foo/"
dont forget to use
restoreconto apply the changes from the default context that was just set
When working on creating a polllicy, a good way is to use a
permissivemode for SELinux to simply log the messages. Then after going through the usage of the application, use something like
grep httpd /var/log/audit/audit.log | audit2allow -M mymodulelocalto create a new policy based on the audit. Then use
semodule -i mymodulelocal.ppto install (
-i) the module
audit2whycan be used in a similar fashion to
audit2allowto get a human-readable descriptions of the audits
Setting selinux to enforcing usually doesnt end so well
So first set it to permissive, touch a file called
.autorelabel to the root of
the filesystem and reboot. This will relabel the whole filesystem to work with
After its done relabelling, set SELinux to enforcing