<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>

SELinux Configuration Basics

In Fedora 12 SELinux comes enabled by default and using it we can improve the security of system. When we use SELinux all files, users and process have a SELinux context. SELinux context consists of 'user:role:type:sensitivity:category'. Here 'user' refers to user who logged into system. After we login even if we use 'su -' to change our privilege level, the SELinux user remains same. 'role' is 'object_r' for files and 'system_r' for users and processes. 'type' is the actual type of object in question using which SELinux rules are enforced.

SELinux file context

Seeing current SELinux context

To see current SELinux context we can use 'ls -Zl' command. (In case of directory we can add '-d' option).

Changing SELinux context

We can change SELinux context of directory or files recursively using

chcon -R <new_context> <files> <directories>

Verify with 'ls -lZ' after changing context.

If we only want to change type of context and not entire context then we can use something like

chcon -R -t <new_type> <files> <directories>

We can also use some file as reference whose context is correct to set similar context on destination file. So we can use

chcon -R --reference=<file_with_correct_context> <files> <directories>

Disabling SELinux during troubleshooting

We can disable SELinux during troubleshooting so that we can find out whether problem is caused by SELinux or not. To disable SELinux we can use

setenforce 0

To enable it again we can use

setenforce 1

Seeing SELinux context of process

To see SELinux context of process we can use '-Z' switch in ps command, for example to see SELinux context of apache running with executable name 'httpd' we can use

ps -ZC httpd

SELinux booleans

See value of all SELinux booleans

To see value of alll SELinux boolean parameters we can use

getsebool -a

We can also use 'ls /selinux/booleans' to see the names of boolean variables.

Setting value of SELinux booleans

To set some value for SELinux boolean we can use

setsebool -P <boolean_name> (1|0)

Here, -P is to make change permanent and persist even after reboot. If we want the change only till we reboot the system then do not use '-P' option, so that only running copy is affected.

SELinux ports

See SELinux context of ports

To see SELinux context of ports we can use

semanage port -l

Add port to SELinux port context

To add port to SELinux port context we can use

semanage port -a -t <selinux_context_type> -p <protocol> <port_number>

Here, -a is to indicate port addition.

Delete port from SELinux port context

To delete port from SELinux type we can use

semanage port -d -t <selinux_context_type> -p <protocol> <port_number>

Here, -d is to indicate port deletion.

SELinux file-context policy

Seeing current file-context policy

To see current file-context policy use

semanage fcontext -l

Checking context against policy

We can check context against policy and if required change the context to conform to current SELinux policy. To check context of files and directories we can use

restorecon -nvr <path>

Here -n is so that changes are not performed, -v is for verbose and -r is for recursive checking.

Changing context to conform to policy

If we want to change context so that it conforms to SELinux policy then we can use

restorecon -vr <path>

Here -r is for recursion and -v for verbose so that we know the names of files whose context has been changed and their older and new context.

Changing policy to define file-context based on path

restorecon uses policy to check and restore context of files based on their path. We can modify restorecon so that desired policy is restored on path and not the default ones. To add file-context for a particular path pattern use

semanage fcontext -a -t <desired_type> "<regular expression matching path>"

Here -a is to add this rule to policy. Very good example which is given in man page is 'semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"'. Note how '(/.*)?' pattern is used to indicate subdirectories and safely avoiding things with name like '/webabc'.

<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>