Changing the current SELinux mode

The SELinux subsystem provides tools to display and change modes. To determine the
current SELinux mode, run the getenforce command. To set SELinux to a different mode,
use the setenforce command:

[user@host ~]# getenforce

Enforcing
[user@host ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[user@host ~]# setenforce 0
[user@host ~]# getenforce
Permissive
[user@host ~]# setenforce Enforcing
[user@host ~]# getenforce
Enforcing

Alternatively, you can set the SELinux mode at boot time by passing a parameter to the
kernel: the kernel argument of enforcing=0 boots the system into permissive mode; a value
of enforcing=1 sets enforcing mode. You can also disable SELinux completely by passing on
the kernel parameter selinux=0. A value of selinux=1 enables SELinux.

Setting the default SELinux mode

You can also configure SELinux persistently using the /etc/selinux/config file. In the
example below (the default configuration), the configuration file sets SELinux to enforcing.
The comments also show the other valid values: permissive and disabled.

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes
# are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Change the default SELinux mode to permissive and reboot.
Use the getenforce command to verify that servera is in enforcing mode.

[root@servera ~]# getenforce

Enforcing

Use the vim command to open the /etc/selinux/config configuration file. Change
the SELINUX parameter from enforcing to permissive.

[root@servera ~]# vim /etc/selinux/config

Use the grep command to confirm that the SELINUX parameter is set to permissive.

[root@servera ~]# grep '^SELINUX' /etc/selinux/config

SELINUX=permissive
SELINUXTYPE=targeted

Use the systemctl reboot command to reboot servera.

[root@servera ~]# systemctl reboot

Connection to servera closed by remote host.
Connection to servera closed.
[student@workstation ~]$

Display the current SELinux mode using the getenforce command.

[root@servera ~]# getenforce

Permissive

Use the setenforce command to set the current SELinux mode to enforcing without
rebooting. Confirm that the mode has been set to enforcing using the getenforce command.

[root@servera ~]# setenforce 1

[root@servera ~]# getenforce
Enforcing
Initial SELinux Context
On systems running SELinux, all processes and files are labeled. The label represents the
security relevant information, known as the SELinux context.

The ls -Z command displays the SELinux context of a file. Note the label of the file.

[root@host ~]# ls -Z /var/www/html/index.html

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/html/index.html

And the ls -Zd command displays the SELinux context of a directory:

[root@host ~]# ls -Zd /var/www/html/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Note that the /var/www/html/index.html has the same label as the parent directory
/var/www/html/. Now, create files outside of the /var/www/html directory and note their
file context:

[root@host ~]# touch /tmp/file1 /tmp/file2

[root@host ~]# ls -Z /tmp/file*
unconfined_u:object_r:user_tmp_t:s0 /tmp/file1
unconfined_u:object_r:user_tmp_t:s0 /tmp/file2

Move one of these files to the /var/www/html directory, copy another, and note the label of
each:

[root@host ~]# mv /tmp/file1 /var/www/html/

[root@host ~]# cp /tmp/file2 /var/www/html/
[root@host ~]# ls -Z /var/www/html/file*
unconfined_u:object_r:user_tmp_t:s0 /var/www/html/file1
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2

The moved file maintains its original label while the copied file inherits the label from the
/var/www/html directory. unconfined_u: is the user, object_r: denotes the role, and s0 is
the level. A sensitivity level of 0 is the lowest possible sensitivity level.

Changing the SELinux context of a file

The following screen shows a directory being created. The directory has a type value of
default_t.

[root@host ~]# mkdir /virtual

[root@host ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual

The chcon command changes the file context of the /virtual directory: the type value
changes to httpd_sys_content_t.

[root@host ~]# chcon -t httpd_sys_content_t /virtual

[root@host ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /virtual

The restorecon command runs and the type value returns to the value of default_t. Note
the Relabeled message.

[root@host ~]# restorecon -v /virtual

Relabeled /virtual from unconfined_u:object_r:httpd_sys_content_t:s0 to
unconfined_u:object_r:default_t:s0
[root@host ~]# ls -Zd /virtual
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual

Defining SELinux Default File Context Rules

The semanage fcontext command displays and modifies the rules that restorecon uses to set
default file contexts. It uses extended regular expressions to specify the path and file names.
The most common extended regular expression used in fcontext rules is (/.*)?, which
means “optionally, match a / followed by any number of characters”. It matches the directory
listed before the expression and everything in that directory recursively.
Basic File Context Operations
The following table is a reference for semanage fcontext options to add, remove or list
SELinux file contexts.
Table 5.1. semanage fcontext commands

option description

-a, --add Add a record of the specified object type

-d,
--delet Delete a record of the specified object type
e
 option description

-l, --list List records of the specified object type

To ensure that you have the tools to manage SELinux contexts, install the policycoreutil
package and the policycoreutil-python package if needed. These contain the restorecon
command and semanage command, respectively.
To ensure that all files in a directory have the correct file context run the semanage fcontext
-l followed by the restorecon command. In the following example, note the file context of
each file before and after the semanage and restorecon commands run.

[root@host ~]# ls -Z /var/www/html/file*

unconfined_u:object_r:user_tmp_t:s0 /var/www/html/file1
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2
[root@host ~]# semanage fcontext -l
...output omitted...
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
...output omitted...
[root@host; ~]# restorecon -Rv /var/www/
Relabeled /var/www/html/file1 from unconfined_u:object_r:user_tmp_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
[root@host ~]# ls -Z /var/www/html/file*
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2

The following example shows how to use semanage to add a context for a new directory.

[root@host ~]# mkdir /virtual

[root@host ~]# touch /virtual/index.html
[root@host ~]# ls -Zd /virtual/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual/
[root@host ~]# ls -Z /virtual/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
[root@host ~]# semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
[root@host ~]# restorecon -RFvv /virtual
[root@host ~]# ls -Zd /virtual/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /virtual/
[root@host ~]# ls -Z /virtual/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html

Open a web browser on workstation and try to view

http://servera/index.html. You will get an error message that says you do not
have permission to access the file.
To permit access to the index.html file on servera, SELinux must be configured.
Define an SELinux file context rule that sets the context type to
httpd_sys_content_t for the /custom directory and all the files below it.

[root@servera ~]# semanage fcontext -a -t httpd_sys_content_t

'/custom(/.*)?'

Use the restorecon command to change the file contexts.

[root@servera ~]# restorecon -Rv /custom

Relabeled /custom from unconfined_u:object_r:default_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /custom/index.html from unconfined_u:object_r:default_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0

Try to view http://servera/index.html again. You should see the message This
is SERVERA. displayed.
Exit from servera.

[root@servera ~]# exit

logout
[student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

SELinux booleans
SELinux booleans are switches that change the behavior of the SELinux policy. SELinux
booleans are rules that can be enabled or disabled. They can be used by security
administrators to tune the policy to make selective adjustments.
Commands useful for managing SELinux booleans include getsebool, which lists booleans
and their state, and setsebool which modifies booleans. setsebool -P modifies the SELinux
policy to make the modification persistent. And semanage boolean -l reports on whether or
not a boolean is persistent, along with a short description of the boolean.
Non-privileged users can run the getsebool command, but you must be a superuser to run
semanage boolean -l and setsebool -P.

[user@host ~]$ getsebool -a

[user@host ~]$ sudo setsebool httpd_enable_homedirs on

[user@host ~]$ sudo semanage boolean -l | grep httpd_enable_homedirs

httpd_enable_homedirs (on , off) Allow httpd to enable homedirs

[user@host ~]$ getsebool httpd_enable_homedirs

httpd_enable_homedirs --> on

The -P option writes all pending values to the policy, making them persistent across reboots.
In the example that follows, note the values in parentheses: both are now set to on.

[user@host ~]$ setsebool -P httpd_enable_homedirs on

Investigating and Resolving SELinux Issues

Using the less command, view the contents of /var/log/messages. Use the / key and search
for sealert. Copy the suggested sealert command so that it can be used in the next step. Use
the q key to quit the less command.

[root@servera ~]# less /var/log/messages

...output omitted...
Mar 28 06:07:03 servera setroubleshoot[15326]: SELinux is preventing
/usr/sbin/httpd from getattr access on the file /custom/index.html. For complete
SELinux messages run: sealert -l b1c9cc8f-a953-4625-b79b-82c4f4f1fee3
Run the suggested sealert command. Note the source context, the target objects, the policy,
and the enforcing mode.

[root@servera ~]# sealert -l b1c9cc8f-a953-4625-b79b-82c4f4f1fee3

SELinux is preventing /usr/sbin/httpd from getattr access on the file
/custom/index.html.

Launch a web browser on workstation and browse to http://serverb/lab.html. You

will see the error message: You do not have permission to access /lab.html on
this server.
Research and identify the SELinux issue that is preventing Apache from serving web content.

Using the less command, view the contents of /var/log/messages. Use the / key and search
for sealert. Use the q key to quit the less command.

[root@serverb ~]# less /var/log/messages

Mar 28 10:19:51 serverb setroubleshoot[27387]: SELinux is preventing
/usr/sbin/httpd from getattr access on the file /lab-content/lab.html. For
complete SELinux messages run: sealert -l 8824e73d-3ab0-4caf-8258-86e8792fee2d

Run the suggested sealert command. Note the source context, the target objects, the policy,
and the enforcing mode.

[root@serverb ~]# sealert -l 8824e73d-3ab0-4caf-8258-86e8792fee2d

SELinux is preventing /usr/sbin/httpd from getattr access on the file /lab-
content/lab.html.

Raw Audit Messages type=AVC msg=audit(1553782786.213:864): avc: denied { getattr }

for pid=15606 comm="httpd" path="/lab-content/lab.html" dev="vda1" ino=8763212
scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0
tclass=file permissive=0

The Raw Audit Messages section of the sealert command contains information from the
/var/log/audit/audit.log. Use the ausearch command to search the
/var/log/audit/audit.log file. The -m option searches on the message type. The ts
option searches based on time. This entry identifies the relevant process and file causing the
alert. The process is the httpd Apache web server, the file is /lab-content/lab.html, and
the context is system_r:httpd_t.

[root@serverb ~]# ausearch -m AVC -ts recent

Display the SELinux context of the new HTTP document root and the original HTTP
document root. Resolve the SELinux issue preventing Apache from serving web content.

Use the ls -dZ to compare the document root of /lab-content and /var/www/html.

[root@serverb ~]# ls -dZ /lab-content /var/www/html

unconfined_u:object_r:default_t:s0 /lab-content/
system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Create a file context rule that sets the default type to httpd_sys_content_ for /lab-
content and all the files below it.

[root@serverb ~]# semanage fcontext -a -t httpd_sys_content_t '/lab-

content(/.*)?'

Use the restorecon command to set the SELinux context for the files in /lab-
content.

[root@serverb ~]# restorecon -R /lab-content/

Verify that the SELinux issue has been resolved and Apache is able to serve web content.

Use your web browser to refresh the http://serverb/lab.html link. Now you should see
some web content.

This is the html file for the SELinux final lab on SERVERB.