Security-Enhanced Linux (SELinux) is a kernel-level security feature in Linux that provides mandatory access control (MAC) to enforce security policies that restrict users and applications beyond traditional discretionary access control (DAC).
What is SELinux?
SELinux implements a flexible mandatory access control system using labels, policies, and context rules. It helps protect systems against misconfigured applications or compromised processes by controlling their access to files, directories, ports, and more.
SELinux Modes
SELinux can operate in three different modes:
| Mode | Description |
| Enforcing | SELinux policy is enforced. Unauthorized access attempts are blocked and logged. |
| Permissive | SELinux does not enforce policy but logs warnings. Useful for troubleshooting. |
| Disabled | Disabled | SELinux is completely turned off. Not recommended for production environments. |
View Current Mode
getenforce
Set Mode Temporarily
setenforce 0 # Permissive setenforce 1 # Enforcing
Set Mode Permanently
Edit the /etc/selinux/config file:
SELINUX=enforcing # or permissive / disabled
SELinux Contexts
Every file, process, and port in a system has a security context made up of:
user:role:type:level
The type is most important for access decisions.
View File Context
ls -Z /path/to/file
View Process Context
ps -eZ | grep httpd
Managing SELinux File Contexts
If SELinux blocks access due to wrong context, relabeling or restoring contexts may be necessary.
Restore Default Contexts
restorecon -Rv /path/to/directory
List and Manage File Context Rules
semanage fcontext -l # list known contexts semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?' # add new rule restorecon -Rv /web # apply it
Managing SELinux Ports
Certain SELinux types are only allowed to bind to specific ports.
View Allowed Ports
semanage port -l | grep http_port_t
Allow Apache to Use a Non-Default Port (e.g. 8081)
semanage port -a -t http_port_t -p tcp 8081
Managing SELinux Booleans
SELinux booleans control optional policy behaviors (e.g., allowing Apache to connect to the network).
View Booleans
getsebool -a
Temporarily Set a Boolean
setsebool httpd_can_network_connect on
Persistently Set a Boolean
setsebool -P httpd_can_network_connect on
Troubleshooting SELinux
1. View SELinux Denials
Use the audit log:
grep denied /var/log/audit/audit.log
Or with ausearch:
ausearch -m avc -ts recent
Or with sealert (from setroubleshoot package):
sealert -a /var/log/audit/audit.log
2. Common Fixes
- Incorrect file context →
restorecon - Application needs extra permission → enable a boolean (
setsebool) - Custom port access denied → add via
semanage port
Example: Allow Apache to Serve Custom Content on a Non-default Directory and Port
- Set the correct context:
semanage fcontext -a -t httpd_sys_content_t "/myweb(/.*)?" restorecon -Rv /myweb
- Add a custom port (e.g. 8081):
semanage port -a -t http_port_t -p tcp 8081
- Enable necessary booleans:
setsebool -P httpd_can_network_connect on
Disabling SELinux (Not Recommended)
Only do this in rare cases, such as debugging legacy applications:
Temporarily:
setenforce 0
Permanently:
Edit /etc/selinux/config:
SELINUX=disabled
Thoughts
SELinux is a critical component of Linux system security. By learning how to:
- Monitor and understand denials
- Manage file, process, and port contexts
- Use booleans for flexibility
…you can leverage its power without compromising usability or security.
Leave a Comment
Your email address will not be published. Required fields are marked with *