SELinux cheat sheet

Basic info

ps auZ – List processes including SELinux context
ls -Z – List files including SELinux context
ss -Z – Show sockets with SELinux context

getenforce – Get current mode of SELinux
sestatus – SELinux status tool

SELinux configuration

Runtime configuration

setenforce [1|0] – Enable/Disable SELinux (temporary until reboot)

Permanent configuration

/etc/selinux/config – Permanent SELinux configuration

Kernel params

selinux = 0 – Disables SELinux entirely (Warning: New files won’t be labeled!)
enforcing = 0 – Disable enforcing (enable permissive mode)

SELinux Booleans

getsebool -a – Get all SELinux booleans and their values
semanage boolean --list – List all SELinux booleans, their current and default values and short description.
setsebool httpd_enable_cgi on – Enable a SELinux boolean (temporary until reboot)
setsebool -P httpd_enable_cgi on – Enable a SELinux boolean (persistently)

Policy configuration

File context

semanage fcontext -l – List file context mapping definitions used by restorecon
semanage fcontext -a -t httpd_sys_content_t "/webpages(/.*)?" – Add a new definition

Port labeling

semanage port -l – List current port label assignments
semanage port -a -t http_port_t -p tcp 81 – Allow httpd service to listen on port 81/TCP
semanage port -d -t http_port_t -p tcp 81 – Remove a custom port labeling
semanage port -m -t http_port_t -p tcp 81 – Modify a label associated with a port

File context (labeling)

restorecon -vR /foo/bar – Restore file(s) default SELinux context
chcon -R /foo/bar – Change SELinux context (temporary until next run of restorecon on the file/dir)

Relabeling whole file system

Create /.autorelabel file and reboot.

$ touch /.autorelabel
$ reboot

Troubleshooting

setroubleshoot-server – A package that provides sealert (setroubleshoot client tool)

Log files

/var/log/audit/audit.log – Used by default if auditd daemon is running
/var/log/messages – Used when auditd is not running or when setroubleshoot-server is installed.
Note: SELinux messages have “AVC” prefix (Access Vector Cache) – grep "AVC" LOG_FILE

SELinux troubleshooter

sealert -b – Start graphical SELinux Alert Browser
sealert -a LOG_FILE > report – Analyze a logfile for SELinux alerts and generate report
sealert -l ID – Lookup alert by ID (“*” wildcard could be used to return all alerts).

Help

man -k selinux – List all manual pages that have word “selinux” in name or description.

Packages with SELinux man pages:

• selinux-policy-doc – Current Fedora versions
• selinux-policy-devel – RHEL 7

Examples

Update policy so Apache web server can serve data from /webpages dir

$ semanage fcontext -a -t httpd_sys_content_t "/webpages(/.*)?"
$ restorecon -R -v /webpages

Update policy so Apache web server can bind to port 1234

$ semanage port -a -t http_port_t -p tcp 1234

Tips

• Don’t forget that currently running and permanent SELinux configuration may be different and system may behave differently after reboot if you forget to make configuration permanent (setenforce vs /etc/selinux/config, setsebool vs setsebool -P, etc.).
• If a service cannot bind a port, check SELinux label of the port and logs for denial messages.
• When you want to make SELinux permissive for a specified service or process only (because of debugging, testing, etc.), take a look at “Permissive domains” (man semanage-permissive).