- 1 Overview
- 2 Basic SELinux Security Concepts
- 2.1 SELinux runing status
- 2.2 SELinux autorelabel
- 2.3 View SELinux context
- 2.4 Manual change of SELinux context
- 2.5 Add a new folder or file permanently to SELinux policy
- 2.6 SELinux log
- 2.7 the se-troubleshoot package
- 2.8 getsebool and setsebool commands
“SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” (selinuxproject.org”
Basic SELinux Security Concepts
SELinux runing status
To enable SELinux (mostly enabled by default) use:
To verify run the command:
getenforce #Output Enforcing
To change the default status of SELinux on boot edit the file ‘/etc/selinux/config’ and change the following:
enforcing = SELinux will block any unauthorized access.
permissive = SELinux will only log unauthorized access but will not block it.
disabled = SELinux disabled completely.
to relabel the entire file-system at boot create a file ‘/.autorelabel’ and reboot:
when enabling SELinux for the first time relabel is needed and will be done automatically in the next reboot.
View SELinux context
To view file and Folder contexts add the capital ‘Z’ switch to the ‘ls’ command:
ls -lZ /var/www/html/
Output will be something like this:
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
‘httpd_sys_content_t’ is the security context for ‘/var/www/html/’.
Manual change of SELinux context
‘restorecon’ and ‘chcon’ are the commands used to correct SELinux context.
‘restorecon’ restores the context according to the SELinux default policy.
for example restore default ‘/tftpboot’ folder policy:
restorecon -r /tftpboot
With ‘chcon’ you can manually set a context not in the default policy,
for example set httpd context on ‘/www’
chcon -v --type=httpd_sys_content_t /www
using ‘chcon’ is no recommended, it is better to add the rule to the policy itself since SELinux autorelable will change any context according to the default policy.
Add a new folder or file permanently to SELinux policy
you can make permanent changes to the SELinux policy using ‘semanage’ command.
for example set ‘/www’ with httpd context:
semanage fcontext -a -t httpd_sys_content_t /www
‘semanage’ doesn’t change the context on ‘/www’ it only changes the policy of ‘/www’ so we still need to run ‘restorecon’:
restorecon -r /www
SELinux log is usually located (in CentOS/Fedora) at ‘/var/log/audit/audit.log’
You will find this log very hard to understand without using ‘sealert’ command from se-troubleshoot package.
the se-troubleshoot package
install se-troubleshoot package
yum install -y setroubleshoot setools
sealert is used to analyze and scan the audit.log file for SELinux issues:
sealert -a /var/log/audit/audit.log
each block contains a separate issue and includes a possible solution in the end, for example:
SELinux denied access to /www/ requested by httpd. /www/ has a context used for sharing by different program. If you would like to share /www/ from httpd also, you need to change its file context to public_content_t. If you did not intend to this access, this could signal a intrusion attempt. Allowing Access: You can alter the file context by executing 'chcon -t public_content_t /www/' Fix Command: chcon -t public_content_t '/www/'
getsebool and setsebool commands
SELinux has Boolean values we can change within any policy.
for a list of values run
using setsebool to change httpd SELinux policy to ‘allow_httpd_anon_write’:
setsebool -P allow_httpd_anon_write on
the ‘-P’ switch in ‘setsebool’ command makes the change permanent.
DevOps/IT Specialist, Musician.
IT Manager – Faculty of Exact Sciences, Bar-Ilan University
The blogs you do produce are really fantastic and interesting blogs. I like to say that please continue with blogging because you produce the concrete information and deep knowledge to make the world a place of knowledgeable people.