Skip to content

SELinux controls system calls. By default it denies all calls, and rules allow some of them. A system call is a way of communication between programs and the kernel.

A highly recommended knowledge source is SELinux Coloring Book. Another one is SELinux notebook

Ignorance is the only reason to disable SELinux.

Conventions and Terminology:

  • Source domain: The object that is trying to access a target. Typically a user or a process.
  • Target domain: The object that a source is trying to access. Typically a file or a port.
  • Policy: A collection of rules that define which source has access to which target.
  • Context: A security label that is used to categorize objects in SELinux.
  • Objects can be files, directories, ports, processes and users.
  • Rule: A specific part of the policy that determines which source domain has which access permissions to which target domain.
  • Labels: Same as a context, defined to determine which source domain has access to which target domain

Operation modes:

  • Enforcing mode: SELinux is enabled and enforcing all rules in the policy
  • Permissive mode: SELinux does not block but all activity is logged. Excellent for troubleshooting.

Files:

  • /etc/sysconfig/selinux main configuration file.
  • /var/log/audit/audit/log SELinux logs.

Commands:

  • getenforce Get the current mode
  • setenforce 0 Temporally puts SELinux in permissive mode
  • setenforce 0 Temporally puts SELinux in enforcing mode
  • sestatus -v current status of SELinux, version and policy

Troubleshoot

sudo yum install policycoreutils-python-utils

Recommended way

sudo grep audit.log /var/log/messages | audit2why
sudo grep audit.log /var/log/messages | audit2allow --module-package=auditdlocal
sudo semodule --install auditdlocal.pp

auditdlocal.pp
    <binary>

auditdlocal.te
    module auditdlocal 1.0;

    require {
        type var_log_t;
        type auditd_t;
        class file { create open read setattr };
    };

    allow auditd_t var_log_t:file { create open read setattr };

sudo checkmodule -M -m -o auditdlocal.mod auditdlocal.te
sudo semodule_package -o auditdlocal.pp -m auditdlocal.mod
sudo semodule --install auditdlocal.pp

Documentation