Notes

• SELinux is a LABELING system, which means every process has a LABEL. Every file, directory, and system object has a LABEL. Policy rules control access between labeled processes and labeled objects. The kernel enforces these rules.

• A process running in the httpd_t context can interact with an object with the httpd_something_t label.

• When SELinux is enabled, during the next boot, the label process labels all files with an SELinux context.

• The correct Label format is user:role:type:level.

• When systems run with SELinux in permissive or disabled mode, users have permission to label files incorrectly.

• Files created while SELinux is disabled are not labeled.

• Resources

  • A sysadmin's guide to SELinux: 42 answers to the big questions (opens in a new tab)

Logging

• Resources

  • Which Log File is Used (opens in a new tab)

• If auditd is running, SELinux denial messages, such as the following, are written to /var/log/audit/audit.log by default

  type=AVC msg=audit(1223024155.684:49): avc:  denied  { getattr } for  pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

• If setroubleshootd is running, which is by default, denial messages from /var/log/audit/audit.log are translated to an easier-to-read form and sent to /var/log/messages

Config

• /etc/selinux/config - SELinux configuration file
• /etc/selinux/semanage.conf - SELinux management configuration file
• /etc/selinux/targeted/contexts/files/file_contexts - SELinux file context configuration file
• /etc/selinux/targeted/contexts/files/file_contexts.local - SELinux file context local configuration file

OCI Containers

If you use SELinux, you can add the z or Z options to modify the SELinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.

• The z option indicates that the bind mount content is shared among multiple containers.
• The Z option indicates that the bind mount content is private and unshared.

Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

Cheatsheet - CLI

sestatus - Check SELinux status

# with policy status
sestatus -b

ls - View SELinux Context of a file

ls -Z $file

Restore default SELinux context

# Dry run
restorecon -nrv $dir
 
# No dry run
restorecon -rv $dir

Troubleshoot AVC denials

# Check SELinux context of the file
ls -Z $file
 
# Check SELinux context of the directory
ls -Z $dir
 
# Check denial message in audit log
sudo grep denied /var/log/audit/audit.log
 
# or
 
grep "SELinux is preventing" /var/log/messages

• Enable Sysadmin - How to read and correct SELinux denial messages (opens in a new tab)
• 6 Troubleshooting Access-Denial Messages (opens in a new tab)

Translate SELinux audit messages into a description of why the access was denied

sudo grep denied /var/log/audit/audit.log | audit2why

Search for and view denials

• 8.3.5. Searching For and Viewing Denials (opens in a new tab)

Show summary reports about AVC messages of audit daemon logs

sudo aureport -a

Get a list of all SELinux booleans

getsebool -a
# or
sestatus -b

Set SELinux boolean

sudo setsebool -P $boolean $value
# e.g. sudo grep denied /var/log/audit/audit.log | audit2why