Insight Admin

http://www.OpenSourceForU.com | OPEN SOURCE FOR YOU | DECEMBER 2017 | 29

Figure 1: Checking the status of SELinux

Figure 3: Default configuration file of SELinux

Figure 2: Changing the SELinux mode to enforcing mode

to the command. Often, the -t option is

used to specify only the type component

of the context.

The restorecon command is the

preferred method for changing the

SELinux context of a file or directory.

Unlike chcon, the context is not

explicitly specified when using this

command. It uses rules in the SELinux

policy to determine what the context of

a file should be.

Defining SELinux

default file context rules

The semanage fcontext command can

be used to display or modify the rules

that the restorecon command uses to set

the default file context. It uses extended

regular expressions to specify the path

and filenames. The most common

extended regular expression used in

fcontext rules is (/.*)? which means

“optionally match a / followed by any

number of characters.” It matches the

directory listed before the expression

and everything in that directory

recursively.

The restore command is part of the

policycoreutil package and semanage

is part of the policycoreutil-Python

package.

As shown in Figure 6, the

permission is preserved by using the

mv command while the cp command

will not preserve the permission, which

will be the same as that of the parent

directory. To restore the permission, run

restorecon which will give the parent

directory permission to access the files.

Figure 7 shows how to use

semanage to add a context for a new

directory. First, change the context of

the parent directory using the semanage

command, and then use the restorecon

command to restore the parent

permission to all files contained in it.

SELinux Booleans

SELinux Booleans are switches that

change the behaviour of the SELinux

policy. These are rules that can be

enabled or disabled, and can be used

by security administrators to tune the

policy to make selective adjustments.

Figure 4: Checking the context of files

Figure 5: Restoring context of the file with the

parent directory

temporarily allow access to content that
SELinux is restricting. No reboot is
required to go from enforcing mode to
permissive mode.
Disabled mode: This mode
completely disables SELinux. A system
reboot is required to disable SELinux
entirely, or to go from disabled mode to
enforcing or permissive mode.

SELinux status
To check the present status of SELinux,
run the sestatus command on a
terminal. It will tell you the mode of
SELinux.

sestatus

Changing the current
SELinux mode
Run the command setenforce with
either 0 or 1 as the argument. A value
of 1 specifies enforcing mode; 0 would
specify permissive mode.

setenforce

Setting the default
SELinux mode
The configuration file that determines
what the SELinux mode is at boot
time is /etc/selinux/config. Note that it
contains some useful comments.
Use /etc/selinux/config to change
the default SELinux mode at boot time.
In the example shown in Figure 3, it is
set to enforcing mode.

Initial SELinux context
Typically, the SELinux context of a
file’s parent directory determines the
initial SELinux context. The context
of the parent directory is assigned to
newly created files. This works for
commands like vim, cp and touch.
However, if a file is created elsewhere
and the permissions are preserved (as
with mv cp -a), the original SELinux
context will be unchanged.

Changing the SELinux
context of a file
There are two commands that are used
to change the SELinux context of a

file—chcon and restorecon. The chcon

command changes the context of a file

to the context specified as an argument