Reduce context-switching for engineers

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

SELinux Commands - Manage and Troubleshoot Security Contexts

Learn essential SELinux commands to manage security contexts, booleans, and troubleshoot access issues. Includes commands for status, file contexts, and module creation.

SELinux Commands

SELinux (Security-Enhanced Linux) is a security architecture for Linux that provides a flexible mandatory access control (MAC) system. Understanding and managing SELinux is crucial for securing your Linux systems. This guide provides essential commands for checking SELinux status, managing file contexts, booleans, and troubleshooting common issues.

Check SELinux Status

To determine the current state of SELinux on your system, you can use the following commands:

# To get the current SELinux mode (Enforcing, Permissive, or Disabled)
getenforce
# or
sestatus
# To view the persistent SELinux configuration
cat /etc/selinux/config

Manage SELinux Modes

You can temporarily switch SELinux to permissive mode, which logs policy violations but does not enforce them. This is useful for troubleshooting.

# To set the SELinux status to permissive (temporary)
setenforce 0

Manage File and Process Contexts

SELinux uses security contexts to define access controls. These commands help you view and manage them.

# To get the security context of files
ls -Z
# To get the security context of running processes
ps -Z
# To get the security context of network sockets
ss -Z
# To get the security context of users
id -Z

Manage SELinux Booleans

SELinux booleans are on/off switches that control specific SELinux policy behaviors without requiring a full policy recompile.

# To list all available SELinux booleans and their current states
getsebool -a

# To set a boolean to a specific state (e.g., 1 for on, 0 for off) and make it permanent
setsebool foo_bar 1 -P

# To view booleans that have been changed from their defaults
sudo cat /var/lib/selinux/targeted/active/booleans.local

Manage SELinux File Contexts

This section covers commands for setting and restoring file security contexts.

# To manually set a specific security context for a file
sudo chcon -t foo_bar_t /foo/bar/baz.txt

# To restore the default SELinux context for files and directories recursively
sudo restorecon -vR /foo/bar/

# To define a persistent file context rule using semanage
sudo semanage fcontext -a -t httpd_sys_content_t "/foo(/.*)?"

# Alternatively, to map an existing directory's context to a new location
sudo semanage -a -e /var/www/html /foo

# After using semanage, always run restorecon to apply the new contexts
sudo restorecon -vR /foo

Troubleshoot SELinux Issues

When SELinux denies access, the `setroubleshoot` package can help diagnose the problem.

# First, install the setroubleshoot packages
sudo dnf install setroubleshoot setroubleshoot-server

# Check system logs for SELinux denial messages
sudo journalctl -t setroubleshoot

Create SELinux Modules

For more complex policy adjustments, you can create custom SELinux modules.

# To create a module, it's often best to start in permissive mode to capture all denials
sudo setenforce 0

# Monitor the audit log for SELinux denials
sudo journalctl
# Search for relevant denials and use audit2allow to generate a policy module
grep foobar /var/log/audit/audit.log | audit2allow -M mypol

# Install the generated SELinux policy module
sudo semodule -i mypol.pp

Graphical SELinux Tools

For users who prefer a graphical interface, SELinux management tools are available.

# Install the SELinux GUI tools
sudo dnf install policycoreutils-gui

By mastering these SELinux commands, you can effectively manage and secure your Linux environment.

External Resources

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments