SELinux Complete Guide¶
What is SELinux
Security-Enhanced Linux (SELinux) is a security feature built into the Linux kernel.
In addition to traditional Linux access control (user, group, permissions), it allows you to apply more granular security policies.
Key Points¶
Enhanced Security
Detailed control over process and file access
Minimize Attack Damage
Limit the scope of damage during unauthorized access
Server Protection
Improve security of web servers and database servers
Mandatory Access Control
Advanced control that can restrict even root users
Why SELinux is Needed¶
Limitations of Traditional Linux Security¶
Traditional Linux permission system - Three levels: user, group, others - Root user can basically do anything - When an application is compromised, anything can be executed with that user's privileges
Improvements with SELinux - Fine-grained control of permissions per process - Even root has only the minimum necessary privileges - When an attacker compromises an app, damage is localized
Concrete Effect Examples¶
# Example: When a web server is compromised
# Traditional Linux
# → Can execute anything with web server process user privileges
# → Reading system files, affecting other processes, etc.
# With SELinux enabled
# → Web server can only access files in specified directories
# → Network connections are also limited to restricted ranges
# → Access to system files is denied
SELinux Operating Modes¶
| Mode | Behavior | Use Case |
|---|---|---|
| Enforcing | Deny policy violations | Production environment operation |
| Permissive | Warning only (execution allowed) | Test/debug environment |
| Disabled | SELinux disabled | Development environment (not recommended) |
Basic Status Check¶
# Check SELinux status
getenforce
# Enforcing → SELinux enabled
# Permissive → Warning only
# Disabled → SELinux disabled
# Detailed status check
sestatus
Mode Changes and Configuration¶
# Temporarily disable
setenforce 0
# Temporarily enable
setenforce 1
# Permanently disable (edit /etc/selinux/config)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
Understanding SELinux Context¶
What is Context¶
In SELinux, all files, processes, ports, etc. are assigned an attribute called "context".
Context Structure
user:role:type:level
Examples
# Web server executable file
system_u:object_r:httpd_exec_t:s0
# Web content file
system_u:object_r:httpd_t:s0
# General user file
unconfined_u:object_r:user_home_t:s0
Commonly Used Types¶
| Type | Use Case |
|---|---|
httpd_t | Web server content |
httpd_exec_t | Web server executable |
mysqld_t | MySQL-related files |
ssh_t | SSH-related files |
user_home_t | User home directory |
admin_home_t | Administrator home directory |
File Context Operations¶
Check Context¶
# Check file SELinux context
ls -Z /var/www/html/index.html
# system_u:object_r:httpd_t:s0 index.html
# Check entire directory context
ls -Z /var/www/html/
# Check process context
ps -eZ | grep httpd
Change Context¶
# Temporary context change
chcon -t httpd_t /var/www/html/newfile.html
# Change user context as well
chcon -u system_u -r object_r -t httpd_t /var/www/html/file.html
# Recursively change entire directory
chcon -R -t httpd_t /var/www/html/
Restore Context¶
# Restore to default context
restorecon -v /var/www/html/index.html
# Recursively restore directory and below
restorecon -Rv /var/www/html/
# Preview restore content (don't actually change)
restorecon -Rvn /var/www/html/
Policy Management¶
Set Default Context¶
# Set default context for file type
semanage fcontext -a -t httpd_t "/var/www/html(/.*)?"
# Apply settings
restorecon -Rv /var/www/html/
# Check configured context rules
semanage fcontext -l | grep "/var/www"
Port Management¶
# Check available ports for HTTPd
semanage port -l | grep http
# Add new port (example: port 8080)
semanage port -a -t http_port_t -p tcp 8080
# Delete port setting
semanage port -d -t http_port_t -p tcp 8080
Troubleshooting¶
Check Logs¶
# Check SELinux denial logs
grep "denied" /var/log/audit/audit.log
# More detailed analysis
sealert -a /var/log/audit/audit.log
# Monitor SELinux denials in real-time
tail -f /var/log/audit/audit.log | grep denied
Common Errors and Solutions¶
1. Web Server File Access Denied¶
# Symptom: Web page returns 403 Forbidden
# Check
ls -Z /var/www/html/problem-file.html
# Solution
restorecon -v /var/www/html/problem-file.html
# or
chcon -t httpd_t /var/www/html/problem-file.html
2. Web Content in Non-standard Directory¶
# Symptom: Want to use /home/user/website/ as document root but get 403
# Solution
semanage fcontext -a -t httpd_t "/home/user/website(/.*)?"
restorecon -Rv /home/user/website/
3. Database Connection Error¶
# Symptom: Cannot connect to DB from web app
# Check
getsebool httpd_can_network_connect_db
# Solution
setsebool -P httpd_can_network_connect_db on
Boolean Settings¶
# Check available booleans
getsebool -a | grep httpd
# Commonly used booleans
setsebool -P httpd_can_network_connect on # Allow HTTP external connections
setsebool -P httpd_can_network_connect_db on # Allow DB connections
setsebool -P httpd_enable_homedirs on # Allow home directory access
setsebool -P httpd_execmem on # Allow executable memory
# -P option: Persistent (effective after reboot)
Practical Operation Examples¶
Apache Web Server Configuration¶
# 1. Basic web content configuration
semanage fcontext -a -t httpd_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html/
# 2. CGI script configuration
semanage fcontext -a -t httpd_exec_t "/var/www/cgi-bin(/.*)?"
restorecon -Rv /var/www/cgi-bin/
# 3. Log directory configuration
semanage fcontext -a -t httpd_log_t "/var/log/httpd(/.*)?"
restorecon -Rv /var/log/httpd/
SSH Configuration¶
# SSH operation on non-standard port
semanage port -a -t ssh_port_t -p tcp 2222
# Proper context for SSH keys
restorecon -Rv ~/.ssh/
MySQL/MariaDB Configuration¶
# Data directory context configuration
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
restorecon -Rv /var/lib/mysql/
# Log file context
semanage fcontext -a -t mysqld_log_t "/var/log/mysql(/.*)?"
restorecon -Rv /var/log/mysql/
SELinux Disabling (Not Recommended)¶
Security Risk
Disabling SELinux significantly reduces security. Only disable temporarily when absolutely necessary.
# Temporarily disable (returns to normal after reboot)
setenforce 0
# Permanently disable (disabled after reboot)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# Reboot required
reboot
Cheat Sheet¶
Basic Commands¶
# Status check
getenforce
sestatus
# Mode change
setenforce 0 # Permissive
setenforce 1 # Enforcing
# Context check
ls -Z filename
ps -eZ | grep process
# Context change
chcon -t type filename
restorecon -v filename
# Policy management
semanage fcontext -l
semanage port -l
getsebool -a
# Log check
grep denied /var/log/audit/audit.log
sealert -a /var/log/audit/audit.log
Troubleshooting Steps¶
- Check error log:
grep denied /var/log/audit/audit.log - Check context:
ls -Z problem-file - Try restore:
restorecon -v problem-file - Check policy:
semanage fcontext -l | grep path - Check booleans:
getsebool -a | grep related-keyword
Related Articles¶
- Firewall Configuration - Other aspects of system security
- OS Information - How to get system information