Skip to content

SELinux

What Is It?

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system built into the Linux kernel. It confines processes to the minimum set of resources they need, providing an additional security layer beyond traditional Unix permissions.

Installation

dnf install policycoreutils-python-utils (for management tools)

Key Files and Directories

Path Purpose
/etc/selinux/config SELinux mode configuration
/var/log/audit/audit.log SELinux denial logs

Configuration

SELinux assigns security contexts (labels) to every file, process, and port. Policies define which contexts can interact. When a process tries to access a resource its policy does not allow, SELinux denies the access and logs it.

Minimal Working Configuration

SELinux has three modes, configured in /etc/selinux/config:

SELINUX=enforcing     # Enforce policies (block and log violations)
# SELINUX=permissive  # Log violations but do not block
# SELINUX=disabled    # Completely off (not recommended)
SELINUXTYPE=targeted  # Only confine targeted processes

Check current mode:

getenforce          # Returns: Enforcing, Permissive, or Disabled
sestatus            # Detailed status

Temporarily switch mode (does not survive reboot):

setenforce 0        # Switch to permissive
setenforce 1        # Switch to enforcing

Important Directives

Security Context
A label in the format user:role:type:level (e.g. system_u:object_r:httpd_sys_content_t:s0). The type is the most important component for targeted policy.
File Contexts
Every file has an SELinux type. Apache can only read files labelled httpd_sys_content_t and write to httpd_sys_rw_content_t.
Booleans
On/off switches for specific policy behaviours. For example, httpd_can_network_connect controls whether Apache can make outbound network connections (needed for reverse proxying).
restorecon
Resets file contexts to their default policy values. Essential after moving or creating files in SELinux-managed directories.
chcon
Temporarily changes file context. Changes are lost on restorecon or relabel. Use semanage fcontext for persistent changes.
semanage fcontext
Persistently defines file context rules that survive restorecon.

Common Commands

# Check current mode
getenforce
sestatus

# View file context
ls -Z /var/www/html/

# View process context
ps -eZ | grep httpd

# Temporarily change file context
chcon -t httpd_sys_rw_content_t /var/www/html/wordpress -R

# Persistently set file context (survives restorecon)
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/wordpress(/.*)?"
restorecon -Rv /var/www/html/wordpress

# Restore default contexts after file operations
restorecon -Rv /var/named
restorecon -Rv /var/www/html

# List and set booleans
getsebool -a | grep httpd
setsebool -P httpd_can_network_connect 1    # -P makes it persistent

# Check for recent denials
ausearch -m avc -ts recent

# Generate a policy module to allow a denied action
audit2allow -a -M mypolicy
semodule -i mypolicy.pp

Logging and Debugging

  • Audit log: /var/log/audit/audit.log contains all SELinux denial messages (AVC denials).
  • Search denials: ausearch -m avc -ts recent shows recent denials with full context.
  • sealert: If setroubleshoot-server is installed, sealert -a /var/log/audit/audit.log provides human-readable explanations and suggested fixes.
  • Permissive mode for debugging: Temporarily switch to setenforce 0 to test if SELinux is causing an issue. If the service works in permissive mode, check audit logs for the specific denial.

Troubleshooting checklist:

  1. getenforce — is SELinux in enforcing mode?
  2. ausearch -m avc -ts recent — any recent denials?
  3. ls -Z <file> — is the file context correct?
  4. restorecon -Rv <path> — fix contexts after file operations
  5. getsebool -a | grep <service> — is the required boolean enabled?

Security Considerations

  • Never disable SELinux permanently: Use setenforce 0 temporarily for debugging, then fix the root cause and re-enable. Disabling SELinux removes a critical security layer.
  • Use restorecon after file operations: Moving files (especially with mv or cp) may carry incorrect contexts. Always run restorecon -Rv on the target directory.
  • Prefer semanage fcontext over chcon: chcon changes are temporary and lost on relabel. semanage fcontext + restorecon is the correct persistent approach.
  • Booleans before custom policies: Before writing custom SELinux modules, check if an existing boolean solves the problem (e.g. httpd_can_network_connect for Apache proxying).
  • Ansible integration: Use the seboolean and sefcontext Ansible modules to manage SELinux in automation.

Further Reading

  • Concepts: Users and Permissions
  • SOPs: Service Management