Joseph Herlant
version 1.0.0, 2014-07-08 : Initial version

1. Basics

Main SELinux configuration file: /etc/selinux/config. Changing values in that file requires a reboot.

Enforcing levels:
  • disabled → SELinux is fully disabled

  • permissive → Logs warnings and actions that would be done by enforcing but do not block anything.

  • enforcing → SELinux policies are fully applied

SELinux contexts:
  • Users:

    • unconfined_u → unprotected user

    • system_u → system user

    • user_u → normal user

  • Role:

    • object_r → file

    • system_r → users and processes

    • unconfined_r → unprotected file or process

  • Domain:

    • unconfined_t → unprotected file or process (most common)

    • etc_t → for files in /etc directory

    • plenty of other domains are available

SELinux logs in:
  • /var/log/audit/audit.log → main log file

  • /var/log/messages → Should normally also contain SELinux denials

2. Usefull commands

  • sestatus → Shows selinux status

  • getenforce → Shows the current enforcing level

  • setenforce → Temporarly changes selinux enforcing level (do not touches /etc/selinux/config file

  • ls -Z → Shows security context of the files

  • ps -ZC atd → Shows security context of the atd process

  • chcon -vu user_u install.log → Changes the security context of the install.log file to users_u user context

  • restorecon -Rv /tftpboot → Resets the original context of the /tftpboot directory (or set it correctly when you change the tftpboot service directory)

  • matchpathcon /my/path → Gets the default SELinux security context for the specified path from the file contexts configuration

  • sestatus -b or getsebool -a → Shows all boolean options for services

  • semanage boolean -l → Provides the same info as previos command but with a description (provided by the policycoreutils-python package)

  • setsebool -P tftp_use_nfs=1 → Enables permanently this boolean

  • sealert is also a very usefull command when it comes to troubleshooting.

  • ausearch -ts 16:00 | grep AVC → Lists all access violations since 16h the one that is in the previous 24 hours

  • ausearch -ts this-month | grep denied → Lists all deactions denied by SELinux during the current month. You can put a date there, but be careful of your locale which it will depend on.

3. Port labeling

Port labeling in SELinux is to allow services to use non standard ports. For example, by default, ssh will need to be on port 22 to work correctly with SELinux. Now let’s say that you configured ssh to listen on port 2222 instead. You’ll have to issue the following command to make it work:

semanage port -a -t ssh_port_t -p tcp 2222

The semanage port -l command will show the currently configured port labels.

4. From GRUB

To disable selinux from grub, add selinux=0 to the kernel line.

To let selinux be loaded, but setting enforcing to permissive, add enforcing=0 to the kernel line.

5. Troubleshooting

The best way to troubleshoot is to install the setroubleshoot-server and setroubleshoot-plugins. Then, each time SELinux blocks something, an alert will be created in /var/log/messages with the instructions to help you solving hte issue and the id to use with sealert.

If you are running a graphical environment, you may to consider installing also the setroubleshoot package which provides a GUI to troubleshoot even more easily.

For some really interesting topics about SELinux, consider having a look to the Dan Walsh’s blog: