Professional Documents
Culture Documents
The SELinux subsystem provides tools to display and change modes. To determine the
current SELinux mode, run the getenforce command. To set SELinux to a different mode,
use the setenforce command:
Alternatively, you can set the SELinux mode at boot time by passing a parameter to the
kernel: the kernel argument of enforcing=0 boots the system into permissive mode; a value
of enforcing=1 sets enforcing mode. You can also disable SELinux completely by passing on
the kernel parameter selinux=0. A value of selinux=1 enables SELinux.
Use the vim command to open the /etc/selinux/config configuration file. Change
the SELINUX parameter from enforcing to permissive.
Use the grep command to confirm that the SELINUX parameter is set to permissive.
Use the setenforce command to set the current SELinux mode to enforcing without
rebooting. Confirm that the mode has been set to enforcing using the getenforce command.
The ls -Z command displays the SELinux context of a file. Note the label of the file.
Note that the /var/www/html/index.html has the same label as the parent directory
/var/www/html/. Now, create files outside of the /var/www/html directory and note their
file context:
Move one of these files to the /var/www/html directory, copy another, and note the label of
each:
The moved file maintains its original label while the copied file inherits the label from the
/var/www/html directory. unconfined_u: is the user, object_r: denotes the role, and s0 is
the level. A sensitivity level of 0 is the lowest possible sensitivity level.
The chcon command changes the file context of the /virtual directory: the type value
changes to httpd_sys_content_t.
The restorecon command runs and the type value returns to the value of default_t. Note
the Relabeled message.
option description
-d,
--delet Delete a record of the specified object type
e
option description
To ensure that you have the tools to manage SELinux contexts, install the policycoreutil
package and the policycoreutil-python package if needed. These contain the restorecon
command and semanage command, respectively.
To ensure that all files in a directory have the correct file context run the semanage fcontext
-l followed by the restorecon command. In the following example, note the file context of
each file before and after the semanage and restorecon commands run.
The following example shows how to use semanage to add a context for a new directory.
Try to view http://servera/index.html again. You should see the message This
is SERVERA. displayed.
Exit from servera.
SELinux booleans
SELinux booleans are switches that change the behavior of the SELinux policy. SELinux
booleans are rules that can be enabled or disabled. They can be used by security
administrators to tune the policy to make selective adjustments.
Commands useful for managing SELinux booleans include getsebool, which lists booleans
and their state, and setsebool which modifies booleans. setsebool -P modifies the SELinux
policy to make the modification persistent. And semanage boolean -l reports on whether or
not a boolean is persistent, along with a short description of the boolean.
Non-privileged users can run the getsebool command, but you must be a superuser to run
semanage boolean -l and setsebool -P.
httpd_enable_homedirs --> on
The -P option writes all pending values to the policy, making them persistent across reboots.
In the example that follows, note the values in parentheses: both are now set to on.
Using the less command, view the contents of /var/log/messages. Use the / key and search
for sealert. Copy the suggested sealert command so that it can be used in the next step. Use
the q key to quit the less command.
Using the less command, view the contents of /var/log/messages. Use the / key and search
for sealert. Use the q key to quit the less command.
Run the suggested sealert command. Note the source context, the target objects, the policy,
and the enforcing mode.
The Raw Audit Messages section of the sealert command contains information from the
/var/log/audit/audit.log. Use the ausearch command to search the
/var/log/audit/audit.log file. The -m option searches on the message type. The ts
option searches based on time. This entry identifies the relevant process and file causing the
alert. The process is the httpd Apache web server, the file is /lab-content/lab.html, and
the context is system_r:httpd_t.
Display the SELinux context of the new HTTP document root and the original HTTP
document root. Resolve the SELinux issue preventing Apache from serving web content.
Use the ls -dZ to compare the document root of /lab-content and /var/www/html.
Create a file context rule that sets the default type to httpd_sys_content_ for /lab-
content and all the files below it.
Use the restorecon command to set the SELinux context for the files in /lab-
content.
Verify that the SELinux issue has been resolved and Apache is able to serve web content.
Use your web browser to refresh the http://serverb/lab.html link. Now you should see
some web content.
This is the html file for the SELinux final lab on SERVERB.