Notes

• SELinux is a LABELING system, which means every process has a LABEL. Every file, directory, and system object has a LABEL. Policy rules control access between labeled processes and labeled objects. The kernel enforces these rules.

• A process running in the httpd_t context can interact with an object with the httpd_something_t label.

• When SELinux is enabled, during the next boot, the label process labels all files with an SELinux context.

• The correct Label format is user:role:type:level.

• When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly.

• Files created while SELinux is disabled are not labeled.

• Resources

  • A sysadmin's guide to SELinux: 42 answers to the big questions (opens in a new tab)

Logging

• Resources

  • Which Log File is Used (opens in a new tab)

• If auditd is running, SELinux denial messages, such as the following, are written to /var/log/audit/audit.log by default

  type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

• If setroubleshootd is running, which is by default, denial messages from /var/log/audit/audit.log are translated to an easier-to-read form and sent to /var/log/messages

Config

• /etc/selinux/config - SELinux configuration file
• /etc/selinux/semanage.conf - SELinux management configuration file
• /etc/selinux/targeted/contexts/files/file_contexts - SELinux file context configuration file
• /etc/selinux/targeted/contexts/files/file_contexts.local - SELinux file context local configuration file

Cheatsheet - CLI

sestatus - Check SELinux status

# with policy status
sestatus -b

ls - View SELinux Context of a file

ls -Z $file

Restore default SELinux context

# Dry run
restorecon -nrv $dir
 
# No dry run
restorecon -rv $dir

Troubleshoot AVC denials

# Check SELinux context of the file
ls -Z $file
 
# Check SELinux context of the directory
ls -Z $dir
 
# Check denial message in audit log
sudo grep denied /var/log/audit/audit.log
 
# or
 
grep "SELinux is preventing" /var/log/messages

• Enable Sysadmin - How to read and correct SELinux denial messages (opens in a new tab)
• 6 Troubleshooting Access-Denial Messages (opens in a new tab)

Translate SELinux audit messages into a description of why the access was denied

sudo grep denied /var/log/audit/audit.log | audit2why

Search for and view denials

• 8.3.5. Searching For and Viewing Denials (opens in a new tab)

Show summary reports about AVC messages of audit daemon logs

sudo aureport -a

Get a list of all SELinux booleans

getsebool -a
# or
sestatus -b

Set SELinux boolean

sudo setsebool -P $boolean $value
# e.g. sudo grep denied /var/log/audit/audit.log | audit2why