Professional Documents
Culture Documents
applications, processes, and so on. On the Red Hat exams, you are expected to work with SELinux.
The first objective is fundamental to SELinux
Set enforcing/permissive modes for SELinux
The next objective requires that you understand the SELinux contexts defined for different files and processes.
List and identify SELinux file and process contexts
The next objective require that you are able to restore the default file contexts
Restore default file contexts
The last objective require that you configure boolean setting.
Use boolean settings to modify system SELinux settings
In this article we would start from the fundamental of SELinux.
Understanding SELinux
SELinux can be quite complex. So we would start from basic. Before you start working with SELinux you
should understated the terminology used in SELinux. Let's start with some of the basics concept:
subject :- subject is a command, process or application witch want to access any linux file.
object :- object is a linux file or services.
action :- an action is what may be done by the subject to the object.
Each file, folder, and service has an associated label that contains all three contexts.
object_r File
Role:
system_r Users and processes
In this article we would discuss SELinux commands. Although there are several commands for SELinux but in
this article we would only focus on those commands which are required in RHCE Exam.
sestatus
Shows the current status of SELinux
Options:
-b Displays all Booleans and their statuses
-v Provides verbose output
getenforce
Shows the enforcing status of SELinux
setenforce
Changes the enforcing status of SELinux
getsebool
Returns the Boolean value of a service option
setsebool
Sets the Boolean value of a service option
chcon
Changes the context of a file, directory, or service
Options:
-f Suppresses error messages
-u Sets user context
-r Sets role context
-t Sets type context (domain)
-R Changes recursively
-v Provides verbose output
restorecon
Resets the context of an object
Options:
-i Ignores files that don’t exist
-p Shows progress
-v Shows changes as they happen
-F Resets context
semanage
To review the status of current users, run the semanage login -l command
listing context
To see the context of a particular file, run the ls -Z command.
To check the SELinux labels associated with service
As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for
SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.
disabled SELinux is turned off and does not restrict any action.
In permissive mode any SELinux security violation would be logged only, it means in
permissive
permissive mode security violation would not be stopped.
In enforcing mode any SELinux security violation would be logged and service would stop.
enforcing
Any action that violate SELinux rule would be denied.
Configuring SELinux
You can change the mode in which SELinux operates by changing the config file. The main config file is
/etc/selinux/config.
Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this
happens, confined domains may be denied access, preventing your system from booting correctly. To prevent
this, configure SELINUX=permissive in /etc/selinux/config
open configuration file
Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to
confirm that SELinux did not deny actions during the last boot.
If SELinux did not deny actions during the last boot, this command does not return any output.
If there were no denial messages in /var/log/messages, open /etc/selinux/config file