Overview
SElinux or Security Enchanced linux is PAIN in the “buttom”. it is designed as military grade security for the US army. That being said if you have it enabled (default) you cannot configure pretty much anything on the software you install without changing the context of the SElinux.
So let's see how to disable and check for status:
Manage
SElinux has three modes: Enforcing Permissive Disabled
The first two are enabling the SElunix, while the last one totally disables it.
You can check if SElinux is currently enabled by issuing the following command:
Check SElinux
[root@************ redis]# getenforce Enforcing
That means, that it is enabled and it is the highest priority. If you don't have requirement to have SElinux, I suggest to ALWAYS change the police to “Permissive” that means it will still monitor the access and yells at you when you violate it, but it won't stop your work.
Let's see how we can disable it:
Enable / Disable
To change the mode to Permissive and reverse, we can use the following command:
Change modes
[root@tbp-mts-redis01 redis]# setenforce 0 - Permissive [root@tbp-mts-redis01 redis]# getenforce Permissive [root@tbp-mts-redis01 redis]# setenforce 1 - Enforcing [root@tbp-mts-redis01 redis]# getenforce Enforcing [root@tbp-mts-redis01 redis]#
We cannot totally disable it while the Linux is working, we have to restart. Also bare in mind that any change (with setenforce) doesn't survive a restart. To disable it totally and/or to make our changes persistant, we have to modify the following file:
Persistant Change
[root@************** redis]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing <- Change what you want here. This change will persist a restart. # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Modift SELinux Context
SElinux operates in contexts. But before we start checking the context of files and directories, we have to install the proper tools:
Install tools to manage SElinux
[root@tbp-mts-redis01 data]# yum install -y policycoreutils-python-utils Last metadata expiration check: 0:27:48 ago on Tue 29 Sep 2020 11:30:40 CEST. Dependencies resolved. =========================================================================================================================================================================================== Package Architecture Version Repository Size =========================================================================================================================================================================================== Installing: policycoreutils-python-utils noarch 2.9-9.el8 BaseOS 251 k Installing dependencies: checkpolicy x86_64 2.9-1.el8 BaseOS 348 k python3-audit x86_64 3.0-0.17.20191104git1c2f876.el8 BaseOS 86 k python3-libsemanage x86_64 2.9-2.el8 BaseOS 127 k python3-policycoreutils noarch 2.9-9.el8 BaseOS 2.2 M python3-setools x86_64 4.2.2-2.el8 BaseOS 601 k Transaction Summary =========================================================================================================================================================================================== Install 6 Packages Total download size: 3.6 M Installed size: 11 M Downloading Packages: (1/6): python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64.rpm 64 kB/s | 86 kB 00:01 (2/6): policycoreutils-python-utils-2.9-9.el8.noarch.rpm 114 kB/s | 251 kB 00:02 (3/6): python3-libsemanage-2.9-2.el8.x86_64.rpm 139 kB/s | 127 kB 00:00 (4/6): checkpolicy-2.9-1.el8.x86_64.rpm 146 kB/s | 348 kB 00:02 (5/6): python3-setools-4.2.2-2.el8.x86_64.rpm 176 kB/s | 601 kB 00:03 (6/6): python3-policycoreutils-2.9-9.el8.noarch.rpm 233 kB/s | 2.2 MB 00:09 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 304 kB/s | 3.6 MB 00:12 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : python3-setools-4.2.2-2.el8.x86_64 1/6 Installing : python3-libsemanage-2.9-2.el8.x86_64 2/6 Installing : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 3/6 Installing : checkpolicy-2.9-1.el8.x86_64 4/6 Installing : python3-policycoreutils-2.9-9.el8.noarch 5/6 Installing : policycoreutils-python-utils-2.9-9.el8.noarch 6/6 Running scriptlet: policycoreutils-python-utils-2.9-9.el8.noarch 6/6 Verifying : checkpolicy-2.9-1.el8.x86_64 1/6 Verifying : policycoreutils-python-utils-2.9-9.el8.noarch 2/6 Verifying : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 3/6 Verifying : python3-libsemanage-2.9-2.el8.x86_64 4/6 Verifying : python3-policycoreutils-2.9-9.el8.noarch 5/6 Verifying : python3-setools-4.2.2-2.el8.x86_64 6/6 Installed: checkpolicy-2.9-1.el8.x86_64 policycoreutils-python-utils-2.9-9.el8.noarch python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 python3-libsemanage-2.9-2.el8.x86_64 python3-policycoreutils-2.9-9.el8.noarch python3-setools-4.2.2-2.el8.x86_64 Complete!
That will give us the “semanage” command. Now there are 2 ways to manage the contaxt of a file or directory:
- Use chcon - temporary
- Use semanage & restorecon - permanent
So let's try it. Firstly we check the context as follows:
Check Context
~]# ls -dZ /web drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
In this example, the SELinux context for file1 includes the SELinux unconfined_u user, object_r role, user_home_t type, and the s0 level. For a description of each part of the SELinux context here
Change the context temporary
To change it temporary we can use the following command:
Check Context
~]# ls -dZ /web drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
Change the context temporary
~]# chcon -R -t httpd_sys_content_t /web/ ~]# ls -dZ /web/ drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
Again, that is not a permanent change so we can restore it with restart OR using restorecon:
Restore the context
~]$ restorecon -v file1 restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
Change the context permanent
To change the context permanently we have to use the “semanage” as follows:
Change the context
~]# ls -dZ /web drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web ~]# semanage fcontext -a -t httpd_sys_content_t "/web" ~]# restorecon -R -v /web ~]$ ls -dZ /web drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0/web