How to Config Security-Enhanced Linux (SELinux) Policies
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. It was originally developed by NASA.
Table of Contents
Install Packages
At first, we need to ensure that we’ve installed semanage. The semanage command is used to change the SELinux context of a file or directory persistently. The policycoreutils-python package contains semanage.
# CentOS 7
sudo yum install -y policycoreutils-python
# CentOS 8
sudo dnf install -y policycoreutils-python-utils
# Ubuntu
sudo apt install -y policycoreutils-python-utils
For troubleshooting SELinux issues, we’re going to install another package. It’s optional to install:
# CentOS
sudo yum install -y setroubleshoot
# Ubuntu
sudo apt install -y setroubleshoot
Context Types
Run this command to see all context types for Apache:
man httpd_selinux
See existing policies:
semanage fcontext -l
These 4 are common types:
httpd_sys_content_t | Read-only directories and files |
httpd_sys_rw_content_t | Readable & writable directories and files |
httpd_log_t | Assign to logs directory |
httpd_cache_t | Assign to caches directory |
Create Policies
May applications like WordPress require to assign policies. To assign httpd_sys_content_t context to the /var/www/domain.com
directory, child directories and files:
semanage fcontext -a -t httpd_sys_content_t '/var/www/domain.com(/.*)?'
To assign httpd_sys_rw_content_t context to the /var/www/domain.com
directory, child directories and files:
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/domain.com(/.*)?'
Assign httpd_log_t to logs directories:
semanage fcontext -a -t httpd_log_t '/var/www/domain.com/logs(/.*)?'
Assign httpd_cache_t to logs directories:
semanage fcontext -a -t httpd_cache_t '/var/www/domain.com/caches(/.*)?'
Apply Policies
We’ve created our policies. Now we need to apply the context changes by running this command:
sudo restorecon -R -v /var/www/domain.com
After changing any context, we need to re-apply the context changes. We can verify our context types:
ls -lZ /var/www/domain.com
Semanage vs Chcon
Like semanage, we can change the SElinux context for files using chcon. Chcon temporarily changes the context of files where semanage changes persistently. Here are some examples:
sudo chcon -t httpd_sys_rw_content_t -R /var/www/domain.com
sudo chcon -t httpd_log_t -R /var/www/domain.com/logs
sudo chcon -t httpd_cache_t -R /var/www/domain.com/caches
# Apply on single file
sudo chcon -t httpd_sys_rw_content_t /var/www/domain.com/i.php
That’s it. Thanks for reading. ?
Comment
Preview may take a few seconds to load.
Markdown Basics
Below you will find some common used markdown syntax. For a deeper dive in Markdown check out this Cheat Sheet
Bold & Italic
Italics *asterisks*
Bold **double asterisks**
Code
Inline Code
`backtick`Code Block```
Three back ticks and then enter your code blocks here.
```
Headers
# This is a Heading 1
## This is a Heading 2
### This is a Heading 3
Quotes
> type a greater than sign and start typing your quote.
Links
You can add links by adding text inside of [] and the link inside of (), like so:
Lists
To add a numbered list you can simply start with a number and a ., like so:
1. The first item in my list
For an unordered list, you can add a dash -, like so:
- The start of my list
Images
You can add images by selecting the image icon, which will upload and add an image to the editor, or you can manually add the image by adding an exclamation !, followed by the alt text inside of [], and the image URL inside of (), like so:
Dividers
To add a divider you can add three dashes or three asterisks:
--- or ***

Comments (0)