Security-Enhanced Linux (SELinux) is a powerful security module integrated into the Linux kernel, designed to provide a mechanism for supporting access control security policies. This post will explore the various aspects of SELinux, including how to change its enforcement mode, control file contexts, adjust policies using Booleans, and troubleshoot SELinux-related issues. By the end, you’ll have a clearer understanding of how SELinux protects your system and how to manage it effectively.
How SELinux Protects Resources
SELinux operates on the principle of mandatory access control (MAC), which restricts the access and actions of processes based on defined security policies. Unlike discretionary access control (DAC), where users control access to their files, MAC policies in SELinux are enforced by the system regardless of user permissions. SELinux labels every file, process, and resource on the system with a security context, and it uses these labels to make decisions about access permissions.
SELinux operates in three modes:
- Enforcing: SELinux policy is enforced, and access is restricted based on the defined policies.
- Permissive: SELinux policies are not enforced, but violations are logged for auditing purposes.
- Disabled: SELinux is turned off entirely.
To check the current SELinux mode, use the getenforce or sestatus command:
[devops@server1 ~]$ getenforce
Enforcing
[devops@server1 ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33Changing the Current SELinux Mode
To change the SELinux mode temporarily (until the next reboot), you can use the setenforce command:
[devops@server1 ~]$ setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
# Set SELinux to permissive mode
[devops@server1 ~]$ sudo setenforce 0
[devops@server1 ~]$ getenforce
Permissive
# Set SELinux to enforcing mode
[devops@server1 ~]$ sudo setenforce 1
[devops@server1 ~]$ getenforce
EnforcingSetting the Default SELinux Mode:
To make SELinux mode changes permanent, you need to modify the SELinux configuration file located at /etc/selinux/config. Open the configuration file in a text editor.
[devops@server1 ~]$ sudo vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# See also:
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes-at-boot-time_changing-selinux-states-and-modes
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
# grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
# grubby --update-kernel ALL --remove-args selinux
#
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted Save the file and reboot the system for the changes to take effect.
Managing SELinux Policy Rules with semanage fcontext
SELinux assigns a context to each file and directory on the system. These contexts determine the level of access that processes have to these resources. You can manage these contexts using the semanage fcontext command.
For example, to change the context of a directory and all its contents, you can use:
[devops@server1 ~]$ sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"This command sets the context type to httpd_sys_content_t for all files in the /var/www/html directory.
Applying the Context with restorecon
After defining a new context with semanage fcontext, you need to apply it using the restorecon command:
[devops@server1 ~]$ sudo restorecon -Rv /var/www/htmlThe -R option applies the changes recursively to all files and directories within /var/www/html.
SELinux Policy with Booleans: Activating and Deactivating SELinux Policy Rules
SELinux Booleans allow you to enable or disable certain SELinux policy rules without having to modify and reload the entire policy. You can control these Booleans using the setsebool command.
For example, to enable HTTPD scripts to execute, you can use:
[devops@server1 ~]$ sudo setsebool -P httpd_enable_cgi onThe -P option makes the change persistent across reboots.
Managing SELinux Booleans with semanage boolean
To list all available SELinux Booleans and their current settings, use:
[devops@server1 ~]$ sudo semanage boolean -l
SELinux boolean State Default Description
abrt_anon_write (off , off) Allow abrt to anon write
abrt_handle_event (off , off) Allow abrt to handle event
abrt_upload_watch_anon_write (on , on) Allow abrt to upload watch anon write
antivirus_can_scan_system (off , off) Allow antivirus to can scan system
antivirus_use_jit (off , off) Allow antivirus to use jit
auditadm_exec_content (on , on) Allow auditadm to exec content
authlogin_nsswitch_use_ldap (off , off) Allow authlogin to nsswitch use ldap
authlogin_radius (off , off) Allow authlogin to radius
authlogin_yubikey (off , off) Allow authlogin to yubikey
awstats_purge_apache_log_files (off , off) Allow awstats to purge apache log files
boinc_execmem (on , on) Allow boinc to execmem
cdrecord_read_content (off , off) Allow cdrecord to read content
cluster_can_network_connect (off , off) Allow cluster to can network connect
cluster_manage_all_files (off , off) Allow cluster to manage all files
cluster_use_execmem (off , off) Allow cluster to use execmem
cobbler_anon_write (off , off) Allow cobbler to anon write
cobbler_can_network_connect (off , off) Allow cobbler to can network connect
cobbler_use_cifs (off , off) Allow cobbler to use cifs
cobbler_use_nfs (off , off) Allow cobbler to use nfs
collectd_tcp_network_connect (off , off) Allow collectd to tcp network connect
colord_use_nfs (off , off) Allow colord to use nfs
condor_tcp_network_connect (off , off) Allow condor to tcp network connect
conman_can_network (off , off) Allow conman to can network
conman_use_nfs (off , off) Allow conman to use nfs
container_connect_any (off , off) Allow container to connect any
container_manage_cgroup (off , off) Allow container to manage cgroup
container_read_certs (off , off) Allow container to read certs
container_use_cephfs (off , off) Allow container to use cephfs
container_use_devices (off , off) Allow container to use devices
container_use_dri_devices (on , on) Allow container to use dri devices
container_use_ecryptfs (off , off) Allow container to use ecryptfs
container_user_exec_content (on , on) Allow container to user exec content
cron_can_relabel (off , off) Allow cron to can relabel
cron_system_cronjob_use_shares (off , off) Allow cron to system cronjob use shares
cron_userdomain_transition (on , on) Allow cron to userdomain transition
cups_execmem (off , off) Allow cups to execmem
cvs_read_shadow (off , off) Allow cvs to read shadow
daemons_dontaudit_scheduling (on , on) Allow daemons to dontaudit scheduling
daemons_dump_core (off , off) Allow daemons to dump core
daemons_enable_cluster_mode (off , off) Allow daemons to enable cluster mode
daemons_use_tcp_wrapper (off , off) Allow daemons to use tcp wrapper
daemons_use_tty (off , off) Allow daemons to use tty
dbadm_exec_content (on , on) Allow dbadm to exec content
dbadm_manage_user_files (off , off) Allow dbadm to manage user files
dbadm_read_user_files (off , off) Allow dbadm to read user files
deny_bluetooth (off , off) Allow deny to bluetooth
deny_execmem (off , off) Allow deny to execmem
deny_ptrace (off , off) Allow deny to ptrace
dhcpc_exec_iptables (off , off) Allow dhcpc to exec iptables
dhcpd_use_ldap (off , off) Allow dhcpd to use ldap
dnsmasq_use_ipset (off , off) Allow dnsmasq to use ipset
domain_can_mmap_files (off , off) Allow domain to can mmap files
domain_can_write_kmsg (off , off) Allow domain to can write kmsg
domain_fd_use (on , on) Allow domain to fd use
domain_kernel_load_modules (off , off) Allow domain to kernel load modules
entropyd_use_audio (on , on) Allow entropyd to use audio
exim_can_connect_db (off , off) Allow exim to can connect db
exim_manage_user_files (off , off) Allow exim to manage user files
exim_read_user_files (off , off) Allow exim to read user files
fcron_crond (off , off) Allow fcron to crond
fenced_can_network_connect (off , off) Allow fenced to can network connect
fenced_can_ssh (off , off) Allow fenced to can ssh
fips_mode (on , on) Allow fips to mode
ftpd_anon_write (off , off) Allow ftpd to anon write
ftpd_connect_all_unreserved (off , off) Allow ftpd to connect all unreserved
ftpd_connect_db (off , off) Allow ftpd to connect db
ftpd_full_access (off , off) Allow ftpd to full access
ftpd_use_cifs (off , off) Allow ftpd to use cifs
ftpd_use_fusefs (off , off) Allow ftpd to use fusefs
ftpd_use_nfs (off , off) Allow ftpd to use nfs
ftpd_use_passive_mode (off , off) Allow ftpd to use passive mode
git_cgi_enable_homedirs (off , off) Allow git to cgi enable homedirs
git_cgi_use_cifs (off , off) Allow git to cgi use cifs
git_cgi_use_nfs (off , off) Allow git to cgi use nfs
git_session_bind_all_unreserved_ports (off , off) Allow git to session bind all unreserved ports
git_session_users (off , off) Allow git to session users
git_system_enable_homedirs (off , off) Allow git to system enable homedirs
git_system_use_cifs (off , off) Allow git to system use cifs
git_system_use_nfs (off , off) Allow git to system use nfs
gitosis_can_sendmail (off , off) Allow gitosis to can sendmail
glance_api_can_network (off , off) Allow glance to api can network
glance_use_execmem (off , off) Allow glance to use execmem
glance_use_fusefs (off , off) Allow glance to use fusefs
global_ssp (off , off) Allow global to ssp
gpg_web_anon_write (off , off) Allow gpg to web anon write
gssd_read_tmp (on , on) Allow gssd to read tmp
guest_exec_content (on , on) Allow guest to exec content
haproxy_connect_any (off , off) Allow haproxy to connect any
httpd_anon_write (off , off) Allow httpd to anon write
httpd_builtin_scripting (on , on) Allow httpd to builtin scripting
httpd_can_check_spam (off , off) Allow httpd to can check spam
httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp
httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap
httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv
httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix
httpd_can_manage_courier_spool (off , off) Allow httpd to can manage courier spool
httpd_can_network_connect (off , off) Allow httpd to can network connect
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler
httpd_can_network_connect_db (off , off) Allow httpd to can network connect db
httpd_can_network_memcache (off , off) Allow httpd to can network memcache
httpd_can_network_relay (off , off) Allow httpd to can network relay
httpd_can_sendmail (off , off) Allow httpd to can sendmail
httpd_dbus_avahi (off , off) Allow httpd to dbus avahi
httpd_dbus_sssd (off , off) Allow httpd to dbus sssd
httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs
httpd_enable_cgi (on , on) Allow httpd to enable cgi
httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs
httpd_execmem (off , off) Allow httpd to execmem
httpd_graceful_shutdown (off , off) Allow httpd to graceful shutdown
httpd_manage_ipa (off , off) Allow httpd to manage ipa
httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind
httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam
httpd_read_user_content (off , off) Allow httpd to read user content
httpd_run_ipa (off , off) Allow httpd to run ipa
httpd_run_preupgrade (off , off) Allow httpd to run preupgrade
httpd_run_stickshift (off , off) Allow httpd to run stickshift
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
httpd_setrlimit (off , off) Allow httpd to setrlimit
httpd_ssi_exec (off , off) Allow httpd to ssi exec
httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write
httpd_tmp_exec (off , off) Allow httpd to tmp exec
httpd_tty_comm (off , off) Allow httpd to tty comm
httpd_unified (off , off) Allow httpd to unified
httpd_use_cifs (off , off) Allow httpd to use cifs
httpd_use_fusefs (off , off) Allow httpd to use fusefs
httpd_use_gpg (off , off) Allow httpd to use gpg
httpd_use_nfs (off , off) Allow httpd to use nfs
httpd_use_opencryptoki (off , off) Allow httpd to use opencryptoki
httpd_use_openstack (off , off) Allow httpd to use openstack
httpd_use_sasl (off , off) Allow httpd to use sasl
httpd_verify_dns (off , off) Allow httpd to verify dns
icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports
init_audit_control (off , off) Allow init to audit control
init_create_dirs (on , on) Allow init to create dirs
irc_use_any_tcp_ports (off , off) Allow irc to use any tcp ports
irssi_use_full_network (off , off) Allow irssi to use full network
kdumpgui_run_bootloader (off , off) Allow kdumpgui to run bootloader
keepalived_connect_any (off , off) Allow keepalived to connect any
kerberos_enabled (on , on) Allow kerberos to enabled
ksmtuned_use_cifs (off , off) Allow ksmtuned to use cifs
ksmtuned_use_nfs (off , off) Allow ksmtuned to use nfs
logadm_exec_content (on , on) Allow logadm to exec content
logging_syslogd_append_public_content (off , off) Allow logging to syslogd append public content
logging_syslogd_can_sendmail (off , off) Allow logging to syslogd can sendmail
logging_syslogd_list_non_security_dirs (off , off) Allow logging to syslogd list non security dirs
logging_syslogd_run_nagios_plugins (off , off) Allow logging to syslogd run nagios plugins
logging_syslogd_run_unconfined (off , off) Allow logging to syslogd run unconfined
logging_syslogd_use_tty (on , on) Allow logging to syslogd use tty
login_console_enabled (on , on) Allow login to console enabled
logrotate_read_inside_containers (off , off) Allow logrotate to read inside containers
logrotate_use_cifs (off , off) Allow logrotate to use cifs
logrotate_use_fusefs (off , off) Allow logrotate to use fusefs
logrotate_use_nfs (off , off) Allow logrotate to use nfs
logwatch_can_network_connect_mail (off , off) Allow logwatch to can network connect mail
lsmd_plugin_connect_any (off , off) Allow lsmd to plugin connect any
mailman_use_fusefs (off , off) Allow mailman to use fusefs
mcelog_client (off , off) Allow mcelog to client
mcelog_exec_scripts (on , on) Allow mcelog to exec scripts
mcelog_foreground (off , off) Allow mcelog to foreground
mcelog_server (off , off) Allow mcelog to server
minidlna_read_generic_user_content (off , off) Allow minidlna to read generic user content
mmap_low_allowed (off , off) Allow mmap to low allowed
mock_enable_homedirs (off , off) Allow mock to enable homedirs
mount_anyfile (on , on) Allow mount to anyfile
mozilla_plugin_bind_unreserved_ports (off , off) Allow mozilla to plugin bind unreserved ports
mozilla_plugin_can_network_connect (on , on) Allow mozilla to plugin can network connect
mozilla_plugin_use_bluejeans (off , off) Allow mozilla to plugin use bluejeans
mozilla_plugin_use_gps (off , off) Allow mozilla to plugin use gps
mozilla_plugin_use_spice (off , off) Allow mozilla to plugin use spice
mozilla_read_content (off , off) Allow mozilla to read content
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
mpd_use_cifs (off , off) Allow mpd to use cifs
mpd_use_nfs (off , off) Allow mpd to use nfs
mplayer_execstack (off , off) Allow mplayer to execstack
mysql_connect_any (off , off) Allow mysql to connect any
mysql_connect_http (off , off) Allow mysql to connect http
nagios_run_pnp4nagios (off , off) Allow nagios to run pnp4nagios
nagios_run_sudo (off , off) Allow nagios to run sudo
nagios_use_nfs (off , off) Allow nagios to use nfs
named_tcp_bind_http_port (off , off) Allow named to tcp bind http port
named_write_master_zones (on , on) Allow named to write master zones
neutron_can_network (off , off) Allow neutron to can network
nfs_export_all_ro (on , on) Allow nfs to export all ro
nfs_export_all_rw (on , on) Allow nfs to export all rw
nfsd_anon_write (off , off) Allow nfsd to anon write
nis_enabled (off , off) Allow nis to enabled
nscd_use_shm (on , on) Allow nscd to use shm
openfortivpn_can_network_connect (on , on) Allow openfortivpn to can network connect
openshift_use_nfs (off , off) Allow openshift to use nfs
openvpn_can_network_connect (on , on) Allow openvpn to can network connect
openvpn_enable_homedirs (on , on) Allow openvpn to enable homedirs
openvpn_run_unconfined (off , off) Allow openvpn to run unconfined
pcp_bind_all_unreserved_ports (off , off) Allow pcp to bind all unreserved ports
pcp_read_generic_logs (off , off) Allow pcp to read generic logs
pdns_can_network_connect_db (off , off) Allow pdns to can network connect db
piranha_lvs_can_network_connect (off , off) Allow piranha to lvs can network connect
polipo_connect_all_unreserved (off , off) Allow polipo to connect all unreserved
polipo_session_bind_all_unreserved_ports (off , off) Allow polipo to session bind all unreserved ports
polipo_session_users (off , off) Allow polipo to session users
polipo_use_cifs (off , off) Allow polipo to use cifs
polipo_use_nfs (off , off) Allow polipo to use nfs
polyinstantiation_enabled (off , off) Allow polyinstantiation to enabled
postfix_local_write_mail_spool (on , on) Allow postfix to local write mail spool
postgresql_can_rsync (off , off) Allow postgresql to can rsync
postgresql_selinux_transmit_client_label (off , off) Allow postgresql to selinux transmit client label
postgresql_selinux_unconfined_dbadm (on , on) Allow postgresql to selinux unconfined dbadm
postgresql_selinux_users_ddl (on , on) Allow postgresql to selinux users ddl
pppd_can_insmod (off , off) Allow pppd to can insmod
pppd_for_user (off , off) Allow pppd to for user
privoxy_connect_any (on , on) Allow privoxy to connect any
prosody_bind_http_port (off , off) Allow prosody to bind http port
puppetagent_manage_all_files (off , off) Allow puppetagent to manage all files
puppetmaster_use_db (off , off) Allow puppetmaster to use db
racoon_read_shadow (off , off) Allow racoon to read shadow
radius_use_jit (off , off) Allow radius to use jit
redis_enable_notify (off , off) Allow redis to enable notify
rngd_execmem (off , off) Allow rngd to execmem
rpcd_use_fusefs (off , off) Allow rpcd to use fusefs
rsync_anon_write (off , off) Allow rsync to anon write
rsync_client (off , off) Allow rsync to client
rsync_export_all_ro (off , off) Allow rsync to export all ro
rsync_full_access (off , off) Allow rsync to full access
rsync_sys_admin (off , off) Allow rsync to sys admin
samba_create_home_dirs (off , off) Allow samba to create home dirs
samba_domain_controller (off , off) Allow samba to domain controller
samba_enable_home_dirs (off , off) Allow samba to enable home dirs
samba_export_all_ro (off , off) Allow samba to export all ro
samba_export_all_rw (off , off) Allow samba to export all rw
samba_load_libgfapi (off , off) Allow samba to load libgfapi
samba_portmapper (off , off) Allow samba to portmapper
samba_run_unconfined (off , off) Allow samba to run unconfined
samba_share_fusefs (off , off) Allow samba to share fusefs
samba_share_nfs (off , off) Allow samba to share nfs
sanlock_enable_home_dirs (off , off) Allow sanlock to enable home dirs
sanlock_use_fusefs (off , off) Allow sanlock to use fusefs
sanlock_use_nfs (off , off) Allow sanlock to use nfs
sanlock_use_samba (off , off) Allow sanlock to use samba
saslauthd_read_shadow (off , off) Allow saslauthd to read shadow
screen_allow_session_sharing (off , off) Allow screen to allow session sharing
secadm_exec_content (on , on) Allow secadm to exec content
secure_mode (off , off) Allow secure to mode
secure_mode_insmod (off , off) Allow secure to mode insmod
secure_mode_policyload (off , off) Allow secure to mode policyload
selinuxuser_direct_dri_enabled (on , on) Allow selinuxuser to direct dri enabled
selinuxuser_execheap (off , off) Allow selinuxuser to execheap
selinuxuser_execmod (off , off) Allow selinuxuser to execmod
selinuxuser_execstack (on , on) Allow selinuxuser to execstack
selinuxuser_mysql_connect_enabled (off , off) Allow selinuxuser to mysql connect enabled
selinuxuser_ping (on , on) Allow selinuxuser to ping
selinuxuser_postgresql_connect_enabled (off , off) Allow selinuxuser to postgresql connect enabled
selinuxuser_rw_noexattrfile (on , on) Allow selinuxuser to rw noexattrfile
selinuxuser_share_music (off , off) Allow selinuxuser to share music
selinuxuser_tcp_server (off , off) Allow selinuxuser to tcp server
selinuxuser_udp_server (off , off) Allow selinuxuser to udp server
selinuxuser_use_ssh_chroot (off , off) Allow selinuxuser to use ssh chroot
sge_domain_can_network_connect (off , off) Allow sge to domain can network connect
sge_use_nfs (off , off) Allow sge to use nfs
smartmon_3ware (off , off) Allow smartmon to 3ware
smbd_anon_write (off , off) Allow smbd to anon write
spamassassin_can_network (off , off) Allow spamassassin to can network
spamd_enable_home_dirs (on , on) Allow spamd to enable home dirs
spamd_update_can_network (off , off) Allow spamd to update can network
squid_bind_snmp_port (off , off) Allow squid to bind snmp port
squid_connect_any (on , on) Allow squid to connect any
squid_use_tproxy (off , off) Allow squid to use tproxy
ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs
ssh_keysign (off , off) Allow ssh to keysign
ssh_sysadm_login (off , off) Allow ssh to sysadm login
ssh_use_tcpd (off , off) Allow ssh to use tcpd
sshd_launch_containers (off , off) Allow sshd to launch containers
sslh_can_bind_any_port (off , off) Allow sslh to can bind any port
sslh_can_connect_any_port (off , off) Allow sslh to can connect any port
sssd_access_kernel_keys (off , off) Allow sssd to access kernel keys
sssd_connect_all_unreserved_ports (off , off) Allow sssd to connect all unreserved ports
sssd_use_usb (off , off) Allow sssd to use usb
staff_exec_content (on , on) Allow staff to exec content
staff_use_svirt (off , off) Allow staff to use svirt
swift_can_network (off , off) Allow swift to can network
sysadm_exec_content (on , on) Allow sysadm to exec content
systemd_socket_proxyd_bind_any (off , off) Allow systemd to socket proxyd bind any
systemd_socket_proxyd_connect_any (off , off) Allow systemd to socket proxyd connect any
telepathy_connect_all_ports (off , off) Allow telepathy to connect all ports
telepathy_tcp_connect_generic_network_ports (on , on) Allow telepathy to tcp connect generic network ports
tftp_anon_write (off , off) Allow tftp to anon write
tftp_home_dir (off , off) Allow tftp to home dir
tmpreaper_use_cifs (off , off) Allow tmpreaper to use cifs
tmpreaper_use_nfs (off , off) Allow tmpreaper to use nfs
tmpreaper_use_samba (off , off) Allow tmpreaper to use samba
tomcat_can_network_connect_db (off , off) Allow tomcat to can network connect db
tomcat_read_rpm_db (off , off) Allow tomcat to read rpm db
tomcat_use_execmem (off , off) Allow tomcat to use execmem
tor_bind_all_unreserved_ports (off , off) Allow tor to bind all unreserved ports
tor_can_network_relay (off , off) Allow tor to can network relay
tor_can_onion_services (off , off) Allow tor to can onion services
unconfined_chrome_sandbox_transition (on , on) Allow unconfined to chrome sandbox transition
unconfined_dyntrans_all (off , off) Allow unconfined to dyntrans all
unconfined_login (on , on) Allow unconfined to login
unconfined_mozilla_plugin_transition (on , on) Allow unconfined to mozilla plugin transition
unprivuser_use_svirt (off , off) Allow unprivuser to use svirt
use_ecryptfs_home_dirs (off , off) Allow use to ecryptfs home dirs
use_fusefs_home_dirs (off , off) Allow use to fusefs home dirs
use_lpd_server (off , off) Allow use to lpd server
use_nfs_home_dirs (off , off) Allow use to nfs home dirs
use_samba_home_dirs (off , off) Allow use to samba home dirs
use_virtualbox (on , on) Allow use to virtualbox
user_exec_content (on , on) Allow user to exec content
varnishd_connect_any (off , off) Allow varnishd to connect any
virt_lockd_blk_devs (off , off) Allow virt to lockd blk devs
virt_qemu_ga_manage_ssh (off , off) Allow virt to qemu ga manage ssh
virt_qemu_ga_read_nonsecurity_files (off , off) Allow virt to qemu ga read nonsecurity files
virt_read_qemu_ga_data (off , off) Allow virt to read qemu ga data
virt_rw_qemu_ga_data (off , off) Allow virt to rw qemu ga data
virt_sandbox_share_apache_content (off , off) Allow virt to sandbox share apache content
virt_sandbox_use_all_caps (on , on) Allow virt to sandbox use all caps
virt_sandbox_use_audit (on , on) Allow virt to sandbox use audit
virt_sandbox_use_fusefs (off , off) Allow virt to sandbox use fusefs
virt_sandbox_use_mknod (off , off) Allow virt to sandbox use mknod
virt_sandbox_use_netlink (off , off) Allow virt to sandbox use netlink
virt_sandbox_use_sys_admin (off , off) Allow virt to sandbox use sys admin
virt_transition_userdomain (off , off) Allow virt to transition userdomain
virt_use_comm (off , off) Allow virt to use comm
virt_use_execmem (off , off) Allow virt to use execmem
virt_use_fusefs (off , off) Allow virt to use fusefs
virt_use_glusterd (off , off) Allow virt to use glusterd
virt_use_nfs (on , on) Allow virt to use nfs
virt_use_pcscd (off , off) Allow virt to use pcscd
virt_use_rawip (off , off) Allow virt to use rawip
virt_use_samba (off , off) Allow virt to use samba
virt_use_sanlock (off , off) Allow virt to use sanlock
virt_use_usb (on , on) Allow virt to use usb
virt_use_xserver (off , off) Allow virt to use xserver
webadm_manage_user_files (off , off) Allow webadm to manage user files
webadm_read_user_files (off , off) Allow webadm to read user files
wine_mmap_zero_ignore (off , off) Allow wine to mmap zero ignore
xdm_bind_vnc_tcp_port (off , off) Allow xdm to bind vnc tcp port
xdm_exec_bootloader (off , off) Allow xdm to exec bootloader
xdm_manage_bootloader (on , on) Allow xdm to manage bootloader
xdm_sysadm_login (off , off) Allow xdm to sysadm login
xdm_write_home (off , off) Allow xdm to write home
xen_use_nfs (off , off) Allow xen to use nfs
xend_run_blktap (on , on) Allow xend to run blktap
xend_run_qemu (on , on) Allow xend to run qemu
xguest_connect_network (on , on) Allow xguest to connect network
xguest_exec_content (on , on) Allow xguest to exec content
xguest_mount_media (on , on) Allow xguest to mount media
xguest_use_bluetooth (on , on) Allow xguest to use bluetooth
xserver_clients_write_xshm (off , off) Allow xserver to clients write xshm
xserver_execmem (off , off) Allow xserver to execmem
xserver_object_manager (off , off) Allow xserver to object manager
zabbix_can_network (off , off) Allow zabbix to can network
zabbix_run_sudo (off , off) Allow zabbix to run sudo
zarafa_setrlimit (off , off) Allow zarafa to setrlimit
zebra_write_config (off , off) Allow zebra to write config
zoneminder_anon_write (off , off) Allow zoneminder to anon write
zoneminder_run_sudo (off , off) Allow zoneminder to run sudoThis command provides a comprehensive list of all Booleans, their current state, and a brief description of their purpose.
Consulting SELinux Man Pages
SELinux-related man pages provide detailed information about specific commands, Booleans, and policies. These man pages typically end with _selinux, such as httpd_selinux for HTTPD-related SELinux information. Use these man pages to find useful information tailored to your specific needs.
[devops@server1 ~]$ man httpd_selinuxDisplaying Useful Information with sealert
When SELinux denies access to a resource, it logs the event, allowing administrators to review and analyze the cause of the denial. One of the most powerful tools for SELinux troubleshooting is sealert, which analyzes SELinux logs and provides suggestions for resolving issues.
To analyze the logs and receive a report, use:
[devops@server1 ~]$ sudo sealert -a /var/log/audit/audit.log
100% done
found 4 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from getattr access on the directory /run/user/1000/libvirt/qemu/run/channel/2-fedora.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-user-runtime-dir should be allowed getattr access on the 2-fedora directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp
Additional Information:
Source Context system_u:system_r:systemd_logind_t:s0
Target Context unconfined_u:object_r:svirt_image_t:s0:c47,c201
Target Objects /run/user/1000/libvirt/qemu/run/channel/2-fedora [
dir ]
Source systemd-user-ru
Source Path /usr/lib/systemd/systemd-user-runtime-dir
Port <Unknown>
Host <Unknown>
Source RPM Packages systemd-252-32.el9_4.6.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-
targeted-38.1.35-2.el9_4.2.0.2.noarch
Local Policy RPM selinux-policy-
targeted-38.1.35-2.el9_4.2.0.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name server1.lab.bitstreams.cc
Platform Linux server1.lab.bitstreams.cc
5.14.0-427.28.1.el9_4.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Jul 31 15:28:35 UTC 2024
x86_64 x86_64
Alert Count 1
First Seen 2024-08-06 14:35:28 CEST
Last Seen 2024-08-06 14:35:28 CEST
Local ID 4d9be7b3-1d7a-443e-a128-891725734d3b
Raw Audit Messages
type=AVC msg=audit(1722947728.851:378): avc: denied { getattr } for pid=10649 comm="systemd-user-ru" path="/run/user/1000/libvirt/qemu/run/channel/2-fedora" dev="tmpfs" ino=117 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:svirt_image_t:s0:c47,c201 tclass=dir permissive=0
type=SYSCALL msg=audit(1722947728.851:378): arch=x86_64 syscall=statx success=no exit=EACCES a0=7 a1=5629f9507383 a2=900 a3=1 items=0 ppid=1 pid=10649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null)ARCH=x86_64 SYSCALL=statx AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root
Hash: systemd-user-ru,systemd_logind_t,svirt_image_t,dir,getattrThis command generates a detailed report that highlights potential issues and offers suggestions for remediation.
The sealert tool can also be used interactively to investigate specific issues as they arise. It provides detailed explanations and recommendations based on the SELinux policy and the context of the denial.
In conclusion, SELinux is a critical component of system security in Linux environments, offering robust access control mechanisms through mandatory policies. Understanding how to manage SELinux modes, file contexts, Booleans, and troubleshoot issues can greatly enhance the security and stability of your system. By mastering SELinux, you can ensure that your Linux systems are both secure and functional, allowing you to protect resources and manage access with precision.