RHCE Series: Configure SELinux to support the service.

  • Every process or object has a SELinux context:
    • identity:role:domain/type
  • The SELinux policy controls:
    • What identities can use which roles
    • What roles can enter which domains
    • What domains can access which types
  • To change the context of a file, you can use the chcon command:
    • chcon -R –reference=/var/www/html
  • To restore the default labeling from the policy and apply the contexts to file:
    • restorecon -R
  • To change the SELinux mode during boot, you can pass the ‘enforcing=0’ option to the kernel in GRUB.
  • Tools:
    • sestatus
    • setenforce | getenforce
    • policycoreutils
    • setroubleshoot
    • system-config-selinux <- part of policycoreutils-gui in RHEL.
    • setsebool | getsebool
    • chcon
    • restorecon

When troubleshooting potential SELinux issues, you can turn off SELinux while troubleshooting.


You can also use the ‘restorecon’ command to restore default context values to the contents of a folder or file.

You can use booleans to enable or disable specific actions. To view the booleans and their status, use the getsebool command.

To change a boolean, you can use the setsebool command.

October 26, 2012

Posted In: Linux, RHCE Study Notes, SELinux