SELinux was Developed by the National Security Agency (NSA), it adds protection for different files,

applications, processes, and so on. On the Red Hat exams, you are expected to work with SELinux.
The first objective is fundamental to SELinux
   Set enforcing/permissive modes for SELinux
The next objective requires that you understand the SELinux contexts defined for different files and processes.
   List and identify SELinux file and process contexts
The next objective require that you are able to restore the default file contexts
    Restore default file contexts
The last objective require that you configure boolean setting.
   Use boolean settings to modify system SELinux settings
In this article we would start from the fundamental of SELinux.
Understanding SELinux
SELinux can be quite complex. So we would start from basic. Before you start working with SELinux you
should understated the terminology used in SELinux. Let's start with some of the basics concept:
 subject :- subject is a command, process or application witch want to access any linux file.
 object :- object is a linux file or services.
 action :- an action is what may be done by the subject to the object.
Each file, folder, and service has an associated label that contains all three contexts.

File Contexts :- SELinux uses four different contexts to enforce security:

 user[take it as subject]
 role[understand it as object]
 domain (also known type, this is action)
 level (new from RHEL6 this level represents the sensitivity level of a file or directory).
for contexts you could use more restrictive values but for RHCE exam you should only focus on following
contexts values.
Important context values for RHCE Exam
Contexts Values Description

unconfined_u Unprotected user

User: system_u System user

user_u Normal user

object_r File
Role:
system_r Users and processes

Domain: unconfined_r Unprotected file or process

Take a example of sshd service check the SELinux labels
 The first field you see here is system_u, which, you can tell from the table , is a system user.
 The second field contains system_r, which again you can reference to see that it is a user or, in this case, a
process.
 The third field shows sshd_t as the domain.
The domain is simply a way of categorizing which contexts can do to one another. Let's take a another
example of domain context

From output you could see

user[subject] system_u (a system user)
role[object] object_r(a file)
domain[action] etc_t
Any service that has access to the etc_t domain is able to access this file. Beside root only system services
have access to the /etc directory, so a domain of etc_t makes sense.
Now you have basic understanding of SELinux context.

In this article we would discuss SELinux commands. Although there are several commands for SELinux but in
this article we would only focus on those commands which are required in RHCE Exam.
sestatus
Shows the current status of SELinux

Options:
-b Displays all Booleans and their statuses
-v Provides verbose output

getenforce
Shows the enforcing status of SELinux
setenforce
Changes the enforcing status of SELinux

getsebool
Returns the Boolean value of a service option

setsebool
Sets the Boolean value of a service option

-P Makes the changes persistent

chcon
Changes the context of a file, directory, or service
Options:
-f Suppresses error messages
-u Sets user context
-r Sets role context
-t Sets type context (domain)
-R Changes recursively
-v Provides verbose output

restorecon
Resets the context of an object

Options:
-i Ignores files that don’t exist
-p Shows progress
-v Shows changes as they happen
-F Resets context

semanage
To review the status of current users, run the semanage login -l command

listing context
To see the context of a particular file, run the ls -Z command.
 To check the SELinux labels associated with service

In this article I would cover following RHCSA exam objectives

 How to set enforcing mode for SELinux
 How to set permissive mode for SELinux
 How to disable SELinux
SELinux is including in default installation of RHEL6. When you install RHEL6 SELinux is automatically
installed with enforcing mode. But for exam you should know which rpm packages are required for SELinux.
For SELinux following rpm are required.
 selinux
 policycoreutils
 setroubleshoot
 selinux-policy-targeted
 selinux-policy
 libselinux
 libselinux-python
 libselinux-utils
 policycoreutils-python
 setroubleshoot-server
 setroubleshoot-plugins
This article assumes that above packages are installed. If these packages are not installed, install them first.
Before going further make sure you have all required packaged installed. Use the rpm -qa | grep selinux, rpm
-q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are
installed.
rpm -qa | grep selinux
rpm -qa | grep policycoreutils
rpm -qa | grep setroubleshoot
how to check that SELinux is running
To determine the current status of SELinux use sestatus command

As suggested in the RHCSA objectives, you need to know how to “Set enforcing or permissive modes for
SELinux.” There are three available modes for SELinux: enforcing, permissive, and disabled.
disabled SELinux is turned off and does not restrict any action.

In permissive mode any SELinux security violation would be logged only, it means in
permissive
permissive mode security violation would not be stopped.

In enforcing mode any SELinux security violation would be logged and service would stop.
enforcing
Any action that violate SELinux rule would be denied.

Configuring SELinux
You can change the mode in which SELinux operates by changing the config file. The main config file is
/etc/selinux/config.
Before SELinux is enabled, each file on the file system must be labeled with a SELinux context. Before this
happens, confined domains may be denied access, preventing your system from booting correctly. To prevent
this, configure SELINUX=permissive in /etc/selinux/config
open configuration file

set mode to permissive and save file

Now reboot the system.

During the next boot, file systems are labeled. The label process labels all files with a SELinux context. In
permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been
denied if running in enforcing mode.
After reboot you could verify that system is in permissive mode

Before changing to enforcing mode run the grep "SELinux is preventing" /var/log/messages command to
confirm that SELinux did not deny actions during the last boot.

If SELinux did not deny actions during the last boot, this command does not return any output.
If there were no denial messages in /var/log/messages, open /etc/selinux/config file

configure SELINUX=enforcing in /etc/selinux/config:

Reboot your system.

After reboot, confirm that the getenforce command returns Enforcing:

or you could sestatus command

disabling of SELinux is straightforward
open configuration file

change the mode to disable in configuration file

reboot the system

after reboot confirm the status