How to Config Security-Enhanced Linux (SELinux) Policies

Md Obydullah

Published: Sep 10, 2020 - Updated: Mar 16, 2022

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. It was originally developed by NASA.

Install Packages
Context Types
Create Policies
Apply Policies
Semanage vs Chcon

Install Packages

At first, we need to ensure that we’ve installed semanage. The semanage command is used to change the SELinux context of a file or directory persistently. The policycoreutils-python package contains semanage.

# CentOS 7
sudo yum install -y policycoreutils-python

# CentOS 8
sudo dnf install -y policycoreutils-python-utils

# Ubuntu
sudo apt install -y policycoreutils-python-utils

For troubleshooting SELinux issues, we’re going to install another package. It’s optional to install:

 # CentOS
sudo yum install -y setroubleshoot

# Ubuntu
sudo apt install -y setroubleshoot

Context Types

Run this command to see all context types for Apache:

man httpd_selinux

See existing policies:

semanage fcontext -l

These 4 are common types:

httpd_sys_content_t	Read-only directories and files
httpd_sys_rw_content_t	Readable & writable directories and files
httpd_log_t	Assign to logs directory
httpd_cache_t	Assign to caches directory

Create Policies

May applications like WordPress require to assign policies. To assign httpd_sys_content_t context to the /var/www/domain.com directory, child directories and files:

semanage fcontext -a -t httpd_sys_content_t '/var/www/domain.com(/.*)?'

To assign httpd_sys_rw_content_t context to the /var/www/domain.com directory, child directories and files:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/domain.com(/.*)?'

Assign httpd_log_t to logs directories:

semanage fcontext -a -t httpd_log_t '/var/www/domain.com/logs(/.*)?'

Assign httpd_cache_t to logs directories:

semanage fcontext -a -t httpd_cache_t '/var/www/domain.com/caches(/.*)?'

Apply Policies

We’ve created our policies. Now we need to apply the context changes by running this command:

sudo restorecon -R -v /var/www/domain.com

After changing any context, we need to re-apply the context changes. We can verify our context types:

ls -lZ /var/www/domain.com

Semanage vs Chcon

Like semanage, we can change the SElinux context for files using chcon. Chcon temporarily changes the context of files where semanage changes persistently. Here are some examples:

sudo chcon -t httpd_sys_rw_content_t -R /var/www/domain.com
sudo chcon -t httpd_log_t -R /var/www/domain.com/logs
sudo chcon -t httpd_cache_t -R /var/www/domain.com/caches

# Apply on single file
sudo chcon -t httpd_sys_rw_content_t /var/www/domain.com/i.php

That’s it. Thanks for reading. ?

Do you like this article? Please inspire us with star, suggestions and feedback on GitHub.

Linux Server

How to Config Security-Enhanced Linux (SELinux) Policies

Md Obydullah

Table of Contents

Install Packages

Context Types

Create Policies

Apply Policies

Semanage vs Chcon

You May Read

mysqli_connect(): (HY000/2002): Permission denied [Fixed]

How To Select Perfect Theme For Your WordPress Website

Filtering Route with Regular Expressions in Laravel

Route Model Implicit and Explicit Binding in Laravel

Understanding OOP Concepts: Properties and Methods

How to Config Security-Enhanced Linux (SELinux) Policies

Md Obydullah

Table of Contents

Install Packages

Context Types

Create Policies

Apply Policies

Semanage vs Chcon

Share on Social Media

You May Read

mysqli_connect(): (HY000/2002): Permission denied [Fixed]

How To Select Perfect Theme For Your WordPress Website

Filtering Route with Regular Expressions in Laravel

Route Model Implicit and Explicit Binding in Laravel

Understanding OOP Concepts: Properties and Methods