Phase 7: Users & Security

SELinux (CRITICAL — #1 RHCSA Failure Topic)

RHEL 9 ships with SELinux enforcing. Do NOT disable it. Learn to work with it.

Verify SELinux Status

getenforce
# Must show: Enforcing

sestatus

SELinux Contexts

Every file, process, and port has an SELinux context (user:role:type:level).

# File contexts
ls -Z /var/www/
ls -Z /etc/ssh/sshd_config

# Process contexts
ps -eZ | grep sshd

# Port contexts
sudo semanage port -l | grep ssh

Common SELinux Operations

# Restore default file contexts (after moving files)
sudo restorecon -Rv /path/to/files

# Change file context type
sudo semanage fcontext -a -t httpd_sys_content_t "/data/web(/.*)?"
sudo restorecon -Rv /data/web

# List and toggle booleans
getsebool -a | grep httpd
sudo setsebool -P httpd_can_network_connect on

Troubleshooting SELinux Denials

# Install troubleshooting tools
sudo dnf install -y setroubleshoot-server setools-console

# Check audit log for denials
sudo ausearch -m AVC -ts recent

# Human-readable explanation
sudo sealert -a /var/log/audit/audit.log | head -50

# Generate allow rule from denial (review before applying!)
sudo audit2allow -a

Never blindly run audit2allow -M mypol && semodule -i mypol.pp. Always review what it allows first. The exam tests understanding, not copy-paste.

User and Group Management

# Create users
sudo useradd -m -s /bin/bash developer
sudo useradd -m -s /bin/bash operator

# Set passwords
sudo passwd developer
sudo passwd operator

# Create groups
sudo groupadd devteam
sudo groupadd ops

# Add users to groups
sudo usermod -aG devteam developer
sudo usermod -aG ops operator

Sudo Configuration

# Your admin user should already be in wheel
groups

# Verify sudoers
sudo visudo
# Ensure: %wheel ALL=(ALL) ALL

SSH Hardening

# BEFORE
sudo sshd -T | grep -iE 'permitroot|passwordauth|maxauthtries'

# APPLY
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config

# VERIFY
sudo sshd -T | grep -iE 'permitroot|maxauthtries'

sudo systemctl restart sshd

Check Status

Check	Status
SELinux enforcing (`getenforce`)	[ ]
SELinux troubleshooting tools installed	[ ]
File context operations practiced (semanage, restorecon)	[ ]
Boolean operations practiced (getsebool, setsebool)	[ ]
Users and groups created	[ ]
Sudo configured (wheel group)	[ ]
SSH hardened (no root login, max 3 attempts)	[ ]

SELinux enforcing (getenforce)

[ ]

SELinux troubleshooting tools installed

[ ]

File context operations practiced (semanage, restorecon)

[ ]

Boolean operations practiced (getsebool, setsebool)

[ ]

Users and groups created

[ ]

Sudo configured (wheel group)

[ ]

SSH hardened (no root login, max 3 attempts)

[ ]