SELinux Tutorial

Selinux is Security Enhanced Linux. I see that many administrators disable Selinux to ease administration, however it is a good idea to enable SELINUX.

View Selinux Status:

getenforce

Disable SELinux :

setenforce 0

Disable SeLinux Per Process:

Apache:

semange permissive -a httpd_t

View Associated Ports SELinux

semanage port -l

Some SELinux Labels:

Allow Apache to read :

httpd_sys_content_t

Allow Apache to Execute :

httpd_sys_script_exec_t

Allow Apache to Read and Write:

httpd_sys_content_rw_t

Allow Apache to Append Content:

httpd_sys_content_ra_t

Enabling SSH Keys with SELinux turned on :

chmod 700 /root/.ssh chmod 600 /root/.ssh/* restorecon -R -v /root/.ssh

Set SELinux to allow apache to access network :

Check current SeLinux settings for httpd:

getsebool -a | grep httpd

Set SeLinux to allow httpd to access network:

setsebool -P httpd_can_network_connect 1

Allow apache to run on custom port:

semanage port -a -t http_port_t -p tcp 8888

Al**low apache to send emails : **

semanage boolean -m --on httpd_can_sendmail

or

setsebool -P httpd_can_sendmail 1

Allow apache to read  custom directories :

chcon -Rv --type=httpd_sys_content_t *

Allow apache to read/write custom directories :

chcon -Rv --type=httpd_sys_content_rw_t *

Allow apache to append to a directory:

httpd_sys_content_ra_t

Allow apache to work with custom directory using semanage :

semanage fcontext -a -t httpd_sys_content_rw_t '/custom/directory(/.*)?' restorecon -R -v /custom/directory

In the above example, the first command instructs semanage to set the label “httpd_sys_content_rw_t” to the directory and its children, while the second command actually applies that to the disk.

SeLinux Policy Management:

You can manage SeLinux by using a GUI tool system-config-selinux or a command line tool called “semanage”. In order to get this tool, you need to install **policycoreutils-python****package.

yum install policycoreutils-python