How to change SELinux Context using semanage?

In this post, we will continue from our previous discussion related to Understanding the use of SELinux and learn how to change SELinux context of files and directories using semanage and chcon commands. Further, we will discuss how to change SELinux booleans using the setsebool command.

In the previous discussion, we created a /test directory and a file /test/myweb.html file within it. We were not able to host the file because the context of the file was not httpd_sys_content_t. To change the context use the semanage command as shown below.

#semanage fcontext -a -t httpd_sys_content_t "/Test(/.*)?"
#restorecon -Rv /Test

-a: option adds a record of the specified object type

-t: option specifies the SELinux Type for the object

The /.* applied it recursively to the directory content.

The restorecon command restores the newly added SELinux security context on the directory /Test and its files and sub-directories.

Now, the file context is changed and it can be accessed by the web server. But, the web server has no access to the /Test directory because the Document root is /var/www/html. So either move the file to /var/www/html or change the Document Root to /Test directory. For this edit the Apache configuration file /etc/httpd/conf/httpd.conf

Scroll down within the file till you reach DocumentRoot line as shown below.

change the “/var/www/html” to /Test and Directory “/var/www” to Directory “/Test”

Save the changes and restart the service

#systemctl restart httpd

Now, open the web browser and host the web page myweb.html as

SELinux Booleans

When you work with SELinux for a while, you will realise that some actions are forbidden despite the fact that they have a perfectly valid justification to be allowed. SELinux policy writers are urged to make policies optional when this rationale is dependent on specific conditions (or choices). In the SELinux environment, optional indicates that permitting access should be prompted by a SELinux boolean.

SELinux Booleans are similar to a switch that can be turned on or off depending on the situation. To protect the basic Linux environment, SELinux includes various ready-to-use Booleans.

getsebool command

The getsebool command with -a option lists all the available SELinux booleans along with their status (on or off).

#getsebool -a

Another way to list the boolean value and the description of the boolean means use the semanage command as

#semanage boolean -l

The state shows two values: the first is whether the boolean is on or off and the second value tells whether the value is persistent or not.

setsebool command

To change the value of SELinux boolean use the setsebool command. In the example below the value of the “httpd_enable_homedir” boolean is off which means the httpd service cannot access files in the user’s homedirectory. Next we use the setsebool command to enable this boolean.

-P: option with setsebool is used to make the change persistently. Notice below that when we list the boolean details using semanage boolean -l it shows (on , off). The “on” means that the boolean is active but the off means the boolean state is not persistent i.e., it will not be on after next boot. To make the change persistent use -P option with setsebool command while changing the boolean value. Now, the change in value will be persistent as shown in the figure below.

Changing Port Numbers in SELinux policy

Services may only be permitted to run on specific port numbers depending on policy setup. Altering a service’s port without changing its policy may result in the service failing to start. FOr doing this use the semanage port command. For instance SELinux allows http to listen on certain TCP ports like 80, 443 etc. Use the

#semanage port -l

command to list the allowed ports. The list on my system is as below

Now, let us add another port say, 12345. use the command

#semanage port -a -t http_port_t -p tcp 12345

To delete any unwanted port (say 12345) use

#semanage port -d -t http_port_t -p tcp 12345

Video Link

Relevant Topics

chmod command
ACL (Access Control List)