Securing RHEL with SELinux

Nov 18, 2025
rhcsa

SELinux principle: If it isn’t specifically allowed, it is denied.

SELinux Labels

The security context label consists of four components of which only the third component is relevant to RHCSA. Furthermore, the vast majority of systems that use SELinux only use the third component, the context type.

user:role:type:level
  • ps Zaux view labels of running processes
  • ls -Zl view labels of files and directories

SELinux Modes

  • SELinux can either be enabled or disabled and a reboot is required to switch

  • When enabled, SELinux can either be in enforcing or permissive mode

    • getenforce shows the current mode
    • setenforce sets mode
    • modify /etc/sysconfig/selinux to set the default SELinux mode

  • To switch to disabled, boot parameters must be used

    • There really should never be a reason to disable

  • SELinux kernel parameters

    • enforcing=0
    • enforcing=1
    • selinux=0

  • Modify the GRUB boot command to change the settings while booting or the GRUB configuration files to make the settings persistent

SELinux Components

  • SELinux context labels are applied to source and target objects
    • Source objects:
      • Users
      • Processes
    • Target objects:
      • Files and directories
      • Ports
  • SELinux policies define source access to targets

SELinux Context Labels

  • In most SELinux configurations, only context type matters
    • Ignore user, role, and level for RHCSA
  • Most services won’t need additional configuration if default settings are used
  • New and copied files typically inherit the context of the parent directory
  • Moved files retain their original context
  • Use restorecon to restore a file context
  • Use semanage fcontext to set a file context
    • This will write the context to the SELinux policy, but not to the filesystem
    • Use semanage fcontext -a to set a new context label
    • Use semanage fcontext -m to modify context label
  • Use restorecon to enforce the policy setting on the system
  • Alternatively, use touch /.autorelabel to relabel all files to the context that is specified in the policy
  • man semanage-fcontext
  • Use semanage fcontext -l -C to show only settings that have changed in the current policy

Finding the Right Context

  • If a non default configuration is used, simply checking the context of the default configuration will work much of the time and this is how it should be done on the exam
  • sealert
  • Read man pages for selinux-policy-doc, but there’s no time for that on the RHCSA exam

SELinux Port Access

  • For any non-default port access, use semanage port to apply the right label
  • Use semanage port -l to print a list all the currently defined port contexts
  • Use the examples section in man semanage-port

Using Booleans

  • semanage boolean -l to list all booleans
  • semanage boolean --modify {boolean} --[on|off] to set boolean value
  • semanage boolean -l -C to see all booleans that have a non-default value setting

Troubleshooting SELinux

  • Determine if SELinux is blocking access by switching to permissive mode
  • Check the audit log
    • grep AVC /var/log/audit/audit.log
  • Consult the selinux policy doc
    • dnf install selinux-policy-doc
    • man -k _selinux

Lab Exercise

  1. httpd
    1. Configure httpd to bind to port 82
    2. Configure httpd to serve content from /myweb
    3. Create a new index.html file in /myweb with the contents “hello from myweb”
    4. Attempt to restart httpd, inspect the journalctl and SELinux logs
    5. Make the appropriate SELinux policy modifications to allow the non-default httpd configuration
    6. Verify that you can view the new content with curl
  2. SSH
    1. Bind sshd to port 2022
    2. Attempt to restart httpd, inspect the systemd journal and SELinux logs
    3. Make the appropriate SELinux policy modifications to allow the non-default sshd configuration
    4. Ensure that you are able to use ssh to login via the new port

- Clint Jordan