SELinux useful commands

(Featured image: Just something I created)

starting log services

# chkconfig --levels 2345 auditd on
# chkconfig --levels 2345 rsyslog on

# service auditd start

When in permissive mode users can mislabel files, to fix this and force relabeling on boot use:

#touch /.autorelabel; reboot

Enable SELinux

Run SELinux in permissive mode by changing /etc/selinux/config


Run SELinux in enforce mode by changing /etc/selinux/config


Get Booleans:

Listing Boolean

semanage boolean -l

List booleans with current state

getsebool -a

Get state of individual boolean

getsebool httpd_verify_dns

Configure Boolean

setboolean httpd_verify_dns on

make changes done thought setboolean persistance

setboolean -P httpd_varify_dns on

SELinux Contexts: Labeling Files

SELinux context are the security relavent information put on by labels on processes and files. You can use ls -Z <file> or ps -xZ to see labels (Context info).


Make temporary changes by using chcon

chcon is used to changes to file context. But it is temporary, in that in case of a file system relabel or execution of restorecon, changes you made though chcon will be reverted. Thus make this tool a great tool to troubleshoot access denied errors.

changing file context

chcon -t httpd_sys_content_t /var/www/html/testfile

changing all files/folder’s context in html directory (Inclusive).

chcon -R -t  httpd_sys_content_t /var/www/html

restoring your changes

restorecon -R -v  httpd_sys_content_t /var/www/html

Note: -t = type, -v = verbose, -R = file and its children (recursively)

Persistent Changes Through Context Modifing

To make persistant change use use semange fcontext

semanage fcontext -a options file-name|directory-name

this will create a context on /etc/selinux/targeted/contexts/files/file_contexts.local file. Thats the file get restored when you make a change using chcon and call restorecon.

options can be for changing type -t <type>

To apply changes use restorecon ( Kind of misleading here).

restorecon -v file-name|directory-name

Create a context for directories and files

semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

will apply httpd_sys_content_t will apply httpd_sys_content_t  to /web and its content. Now this command does not change the file type directly. The label of files on web is still default_t. This command add an entry to /etc/selinux/targeted/contexts/files/file_contexts.local

/web(/.*)? system_u:object_r:httpd_sys_content_t:s0

Now run

restorecon -R -v /web

this will restore the default from /etc/selinux/targeted/contexts/files/file_contexts.local, thus resulting in httpd_sys_content_t for all the files inside web (inclusive) directory.

Delete a context

semanage fcontext -d "/web(/.*)?"



The default_t is the type used on files that do not match any patterns on fcontext (file-context) configuration. This is done so that we could distingush them from files that do not have a context on disk. files with default_t generally kept inaccessible until you assign a type to them.


use cp to copy without preserving SELinux context

to preserve the context use

cp --preserve=context file1 /var/www/html/

Note: Linux mv command will preserve the context. If you move a file from home directory to www/html directory, your httpd wil not able to access them. You will see a 403 error.

Checking Default Context

use matchpathcon to compare current configuration to default

matchpathcon -V /var/www/html/*

Keep context when tar ing

tar --selinux -cf test.tar file{1,2,3}


tar -xvf archive.tar | restorecon -f -


tar --selinux -xvf test.tar

Information Gathering Tools

See stats of access vector cache


Get a breakdown of a policy such as Booleans, types, number of classes, allow rools and others.


This can also list number of types

seinfo -adomain -x
seinfo -aunconfined_domain_type -x
seinfo --permissive -x

Search particular type in policy


sesearch --role_allow -t httpd_sys_content_t /etc/selinux/targeted/policy/policy.31
sesearch --allow # get allowed rules