SElinux management in Linux Centos/RHEL8

What is SELinux?

Selinux is a one type of security that enhances the security that allows users and administrators more control over which users and applications can access which resources, such as files, Standard Linux access controls etc.

It is mainly in use to protect internal data (not from external data) from system services. In real time it disables and instead of this IP tables/Firewall are in use. It protects all the services, files and directories by default if it gets enable.

How many ways we can implement the SELinux?

We can implement it mainly in 2 modes.
(i) Enabled
(ii) Disabled (default mode)


Enabled means enabling the SELinux policy and this mode of it is divided into two parts.
(a) Enforcing
(b) Permissive


Disabled means disabling the SELinux policy.

selinux config file

What is Enforcing mode in SELinux?

Enforcing means SELinux is on. It checks it’s policy and stores a log. No one can access the services by default but we can change the policy whenever we needed.

What is Permissive mode in SELinux?

SELinux is on and it don’t check SELinux policy and stored the log. Everybody can access the services, by default and we can also change the its policy.

It is also specify as debugging mode or troubleshooting mode. In this mode it’s policies and rules can apply to subjects and objects but actions will not affect.

What is Disabled mode in SELinux?

In starting SELinux is turned off and no warning and log messages will be generated and stored.

What are B ooleans?

Booleans are the variables that can either be set as true or false. Booleans enhance the effect of SELinux policies implemented by the System Administrators. A policy may protects certain daemons or services by applying various access control rules.

Commands used for Booleans:

1. To see the booleans of the specified service:

# getsebool -a | grep <service name>
To see the booleans of the ftp service
# getsebool -a | grep ftp

2. To change the boolean of a specified service

# setsebool <boolean><option on/off>
To change the boolean of the ftpd service temporarily
# setsebool allow_ftpd_anon_write on

3. To change the boolean for the service on or off permanently

# setsebool -P <service boolean> = <0/1>
To change the boolean for samba service permanently on
# setsebool -P samba_export_all_rw = 1

What is SELinux policy?

The SELinux policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for process. This describes the access permissions for all users, programs, processes, files, and devices they act upon. It implements one of two different policies:

Targeted: The default policy. Implements access control to targeted processes. The processes run in a confined domain where the process has limited access to files. If a confined process is compromise, the damage is mitigate. In the case of services, only specific services can place into these domains.

# vi /etc/selinux/config

MLS: Stands for Multi-Level Security. Check out the Red Hat documentation on the MLS policy.

Command to see the policy details.

# sestatus
selinux status

What are the required files for SELinux?

 # vim /etc/selinux/config -----> It is main file for SELinux. 
 # vim /etc/sysconfig/selinux -----> It is a link file to the above file. 
 # vim /var/log/audit/audit.log -----> SELinux log messages will be stored in this file. 

Commands used for SElinux mode

To check the mode we use below command

# getenforce

To set the mode temporarily you should use command:

# setenforce 0
# setenforce 1

Where ‘ 0 ‘ —–> permissive and ‘ 1 ‘ —–> Enforcing

Note :

(i) To change the mode from Permissive to Enforcing or Enforcing to Permissive modes you don’t need to restart the system.
(ii) To change Enforcing mode to Disabled mode or Disabled mode to Enforcing mode you need to restart the system.
(iii) The above commands can change the mode temporarily only. To make the changes permanently, you need to open /etc/selinux/config file. And go to, SELINUX=Enforcing or Permissive or Disabled (save and exit this file)

# vi /etc/selinux/config

How to change port number of any application

Syntax :

# semanage port -a -t <type> -p tcp <port no.>

For Example :

If we want to change the port of sshd to 8081 then.

(i) make entry in /etc/ssh/sshd_config and add parameter port 8081.

(ii) for selinux we have to assign the port by below command.

# semanage port -a -t ssh_port_t -p tcp 8081

(iii) now check port

# semanage port -l | grep ssh

(iv) if still ssh is not working then

systemctl stop firewalld.service

To working with firewall you can read article Firewall setup using Firewalld in CentOS8

Selinux is also work on SCL (Secure context label)

It is also known as tag.

Useful commands for SElinux context:

To see the context of the file.

# ls -Z <file name>

Command to see the context of the directory.

# ls -ldZ <directory name>

To see the context of the process running on the system.

# ps -efZ | grep <process name>

To see the context of the http process running on the system
# ps -efZ | grep http 

To change context of the file or directory.

# chcon -t <argument> <file/directory name>

To change the SELinux context of the /public directory
# chcon -t public_content_t /public

to change the SELinux context of the /public directory and its contents
# chcon -R public_content_t /public

Command to restore the previous context of the file/directory.

# restorecon -v <file/directory name>

Command to restore the previous context of the directory and its contents.

# restorecon -Rv <directory>

To restore the previous context of the /public directory and its contents
# restorecon -Rv /public 

For this we have an example here.

(i) Firstly download httpd package and install, then start http service. Secondly stop firewall service(to work with firewall you can go through another articles Rich Rules of Firewalld on CentOS / RHEL8 and Firewall setup using Firewalld in CentOS8 ).

(ii) Now if we write anything in /var/www/html/index.html file then it we show on browser. But if we remove index.html from this location and create a new file of index.html at any other location. After that move index.html to /var/www/html directory.

(iii) Now refresh the browser. It will not work and selinux will give the error for tag.

(iv) When we create any file at any location then that file automatically contains a tag. which does not change by changing the location. We have to change it manually.

Command to check the tag:

ls -ldZ /var/www/html/index.html

(v) Now change the tag name by below command.

# chcon -t httpd_sys_content_t /var/www/html/index.html

(vi) To change the tag of multiple directory in one command then we use reference.

# chcon -R --reference /var/www/html /data

If we create .auorelabel file in / then after reboot all tag got set in default.

# touch /.autorelabel

How to set a default label manually in selinux policy

To see all available default tag/label;

# semanage fcontext -l

To set default label name httpd_sys_content_t on /data directory. use regular expression ‘/data(/.*)?’ .

# semanage fcontext -a -t httpd_sys_content_t '/data(/.*)?'

Now check # ls -ldZ /data

  1. If we create any file in /data or copy any file from any location to /data directory. Then that file automatically inherit the label of /data directory.
  2. If we move the file from any location to /data directory. then it will not inherit the label of data directory. That file carry its original label.

Hope you enjoyed this article. Please comment and suggestions below.


Please enter your comment!
Please enter your name here

Latest articles