In this post, we will continue from our previous discussion related to Understanding the use of SELinux and learn how to change SELinux context of files and directories using semanage and chcon commands. Further, we will discuss how to change SELinux booleans using the setsebool command.
In the previous discussion, we created a /test directory and a file /test/myweb.html file within it. We were not able to host the file because the context of the file was not httpd_sys_content_t. To change the context use the semanage command as shown below.
#semanage fcontext -a -t httpd_sys_content_t "/Test(/.*)?"
#restorecon -Rv /Test
-a: option adds a record of the specified object type
-t: option specifies the SELinux Type for the object
The /.* applied it recursively to the directory content.
The restorecon command restores the newly added SELinux security context on the directory /Test and its files and sub-directories.
Now, the file context is changed and it can be accessed by the web server. But, the web server has no access to the /Test directory because the Document root is /var/www/html. So either move the file to /var/www/html or change the Document Root to /Test directory. For this edit the Apache configuration file /etc/httpd/conf/httpd.conf
Scroll down within the file till you reach DocumentRoot line as shown below.
change the “/var/www/html” to /Test and Directory “/var/www” to Directory “/Test”
Save the changes and restart the service
#systemctl restart httpd
Now, open the web browser and host the web page myweb.html as
SELinux Booleans
When you work with SELinux for a while, you will realise that some actions are forbidden despite the fact that they have a perfectly valid justification to be allowed. SELinux policy writers are urged to make policies optional when this rationale is dependent on specific conditions (or choices). In the SELinux environment, optional indicates that permitting access should be prompted by a SELinux boolean.
SELinux Booleans are similar to a switch that can be turned on or off depending on the situation. To protect the basic Linux environment, SELinux includes various ready-to-use Booleans.
getsebool command
The getsebool command with -a option lists all the available SELinux booleans along with their status (on or off).
#getsebool -a
Another way to list the boolean value and the description of the boolean means use the semanage command as
#semanage boolean -l
The state shows two values: the first is whether the boolean is on or off and the second value tells whether the value is persistent or not.
setsebool command
To change the value of SELinux boolean use the setsebool command. In the example below the value of the “httpd_enable_homedir” boolean is off which means the httpd service cannot access files in the user’s homedirectory. Next we use the setsebool command to enable this boolean.
-P: option with setsebool is used to make the change persistently. Notice below that when we list the boolean details using semanage boolean -l it shows (on , off). The “on” means that the boolean is active but the off means the boolean state is not persistent i.e., it will not be on after next boot. To make the change persistent use -P option with setsebool command while changing the boolean value. Now, the change in value will be persistent as shown in the figure below.
Changing Port Numbers in SELinux policy
Services may only be permitted to run on specific port numbers depending on policy setup. Altering a service’s port without changing its policy may result in the service failing to start. FOr doing this use the semanage port command. For instance SELinux allows http
to listen on certain TCP ports like 80, 443 etc. Use the
#semanage port -l
command to list the allowed ports. The list on my system is as below
Now, let us add another port say, 12345. use the command
#semanage port -a -t http_port_t -p tcp 12345
To delete any unwanted port (say 12345) use
#semanage port -d -t http_port_t -p tcp 12345
Video Link
Relevant Topics
chmod command
ACL (Access Control List)