SELinux

SELinux enforcing/permissive modes, file contexts, port labeling, booleans, and audit2allow troubleshooting.

SELinux Modes & Status

Check current SELinux status
getenforce
Detailed status — policy, mode, deny count
sestatus
Output
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
Temporarily switch to permissive (survives until reboot)
sudo setenforce 0    # Permissive — logs denials but doesn't block
sudo setenforce 1    # Enforcing — blocks and logs
Never setenforce 0 in production and walk away. It’s a diagnostic tool, not a fix.
Permanently change mode (requires reboot)
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

File Contexts — The Core Concept

SELinux labels every file, process, and port with a context. When a process tries to access a file, SELinux checks if the process context is allowed to access the file context. If not, denied.

View file contexts
ls -Z /var/log/messages
Output
system_u:object_r:var_log_t:s0 /var/log/messages

Format: user:role:type:level — the type (var_log_t) is what matters 99% of the time.

View contexts for a directory tree
ls -laZ /etc/httpd/
View process contexts
ps auxZ | grep httpd
View your own context
id -Z

Fixing Context Mismatches — The #1 SELinux Problem

When you move files (not copy), they keep their old context. This is the most common SELinux denial.

Restore default context for a file
sudo restorecon -v /var/www/html/index.html
Restore recursively (entire directory tree)
sudo restorecon -Rv /var/www/html/
Set a specific context manually
sudo chcon -t httpd_sys_content_t /var/www/html/custom.html
chcon is temporary — restorecon will overwrite it. Use semanage fcontext for permanent changes.
Make a permanent context rule
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
sudo restorecon -Rv /srv/web/
List all custom context rules
sudo semanage fcontext -l -C

Booleans — Feature Switches

SELinux booleans toggle specific permissions without writing custom policy.

List all booleans (1,000+)
getsebool -a
Search for relevant booleans
getsebool -a | grep httpd
Enable a boolean (persistent)
sudo setsebool -P httpd_can_network_connect on
Common booleans you’ll use
# Allow HTTPD to connect to network (APIs, proxying)
sudo setsebool -P httpd_can_network_connect on

# Allow HTTPD to send mail
sudo setsebool -P httpd_can_sendmail on

# Allow Samba to share home directories
sudo setsebool -P samba_enable_home_dirs on

# Allow NFS home directories
sudo setsebool -P use_nfs_home_dirs on

# Allow HTTPD to read user content
sudo setsebool -P httpd_read_user_content on

Troubleshooting Denials

Check for recent denials in audit log
sudo ausearch -m AVC -ts recent
More readable — use sealert (install setroubleshoot-server)
sudo sealert -a /var/log/audit/audit.log
Watch denials in real-time
sudo tail -f /var/log/audit/audit.log | grep denied
Generate a policy module to allow a specific denial
sudo ausearch -m AVC -ts recent | audit2allow -M mypolicy
sudo semodule -i mypolicy.pp
audit2allow is powerful but dangerous. Read what it generates before installing. It might allow more than you intended.
Quick one-liner: find denial, understand it, fix it
# 1. Find the denial
sudo ausearch -m AVC -ts today | head -20

# 2. Understand it
sudo ausearch -m AVC -ts today | audit2why

# 3. If it's a boolean issue, audit2why tells you which boolean to set
# 4. If it's a context issue, restorecon or semanage fcontext
# 5. If it's genuinely missing policy, audit2allow -M

Ports

View port labels
sudo semanage port -l | grep http
Allow a service on a non-standard port
# Allow httpd to listen on port 8443
sudo semanage port -a -t http_port_t -p tcp 8443
List custom port rules
sudo semanage port -l -C

RHCSA-Critical Commands

These are the commands you MUST know for the exam:

The RHCSA SELinux checklist
# 1. Check mode
getenforce

# 2. Set enforcing
sudo setenforce 1

# 3. Permanent mode
sudo vim /etc/selinux/config  # SELINUX=enforcing

# 4. View file contexts
ls -Z /path/to/file

# 5. Restore contexts
sudo restorecon -Rv /path/

# 6. Set permanent context
sudo semanage fcontext -a -t type_t "/path(/.*)?"
sudo restorecon -Rv /path/

# 7. Manage booleans
getsebool -a | grep keyword
sudo setsebool -P boolean_name on

# 8. Manage ports
sudo semanage port -a -t type_t -p tcp PORT

# 9. Troubleshoot
sudo ausearch -m AVC -ts recent
sudo sealert -a /var/log/audit/audit.log

Real-World: Vault Backup SELinux Incident

From INC-2026-03-10:

The problem
Vault backup script wrote to /opt/vault/backups/
SELinux denied because the backup directory had default_t context
Vault process runs as vault_t — not allowed to write to default_t
The fix
sudo semanage fcontext -a -t vault_var_lib_t "/opt/vault/backups(/.*)?"
sudo restorecon -Rv /opt/vault/backups/
The lesson
When a service can't write to a directory you created:
1. Check: ls -Z /path → is the type wrong?
2. Fix: semanage fcontext + restorecon
3. Never: setenforce 0 and call it done

See Also

  • AppArmor — alternative MAC framework

  • Permissions — DAC layer that SELinux supplements