Introduction to SELinux in Red Hat Linux

Welcome to Day 17 of the 30 Days of Linux Challenge!

Today’s topic focuses on SELinux (Security-Enhanced Linux) — a powerful, but often misunderstood, security system built into Red Hat-based distributions.

If you’ve ever seen services randomly "fail" even when file permissions look correct... chances are SELinux was doing its job!

📚 Table of Contents

• Why SELinux Matters
• SELinux Modes Explained
• Understanding SELinux Contexts
• Managing SELinux Contexts
• SELinux and Non-Standard Ports
• Troubleshooting SELinux Issues
• Real-World Example
• Try It Yourself
• Why This Matters in the Real World

Why SELinux Matters

Linux file permissions (rwx, chown, etc.) are discretionary — the owner sets access.

But SELinux enforces mandatory access control (MAC):

• Kernel-level restrictions
• Labels on files, processes, and ports
• Strict security enforcement, even against root-owned processes

🔒 SELinux is critical for:

• Web servers (Apache, Nginx)
• Database servers (MySQL, PostgreSQL)
• Containers (Podman, Docker with SELinux support)
• Multi-tenant environments
• Systems with compliance requirements (PCI-DSS, HIPAA, FISMA)

SELinux Modes Explained

Check SELinux mode:

getenforce

Modes:

Mode Meaning
Enforcing SELinux policies are actively enforced
Permissive Violations are logged, but not blocked
Disabled SELinux engine is turned off

Temporarily switch modes:

sudo setenforce 0 # Permissive
sudo setenforce 1 # Enforcing

Permanently set mode:
Edit /etc/selinux/config and adjust:

SELINUX=enforcing
Understanding SELinux Contexts
Every file, directory, and process has a context (security label).

View file contexts:
ls -Z /var/www/html

Example output:

-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html

Label Meaning
system_u SELinux user
object_r SELinux role

httpd_sys_content_t SELinux type (controls access)

s0 SELinux security level

🛡️ Type is usually the most important — Apache must only access files labeled with httpd_sys_content_t.

Managing SELinux Contexts

Change context (temporary):
sudo chcon -t httpd_sys_content_t /var/www/html/index.html

Restore default context:
sudo restorecon -v /var/www/html/index.html

View process contexts:
ps -eZ | grep sshd

SELinux and Non-Standard Ports

Services like Apache usually use port 80, but what if you want port 8080?

List known port contexts:

sudo semanage port -l

Add new port:
sudo semanage port -a -t http_port_t -p tcp 8080

If semanage is missing:
sudo dnf install policycoreutils-python-utils

Troubleshooting SELinux Issues

🔍 View recent SELinux denials:

sudo ausearch -m AVC,USER_AVC -ts recent
Or:
sudo journalctl | grep SELinux

Audit logs:
sudo cat /var/log/audit/audit.log

Tip:

Install setroubleshoot-server to analyze logs:

sudo dnf install setroubleshoot-server
sudo sealert -a /var/log/audit/audit.log

It will give human-readable explanations of denials.

Real-World Example

Problem: Apache (httpd) cannot read files in /custom/html, even though permissions are correct.

Solution:

Check SELinux context:
ls -Z /custom/html

Set correct type:
sudo chcon -t httpd_sys_content_t /custom/html/*
sudo restorecon -Rv /custom/html

If using a custom port like 8080:
sudo semanage port -a -t http_port_t -p tcp 8080

Without adjusting contexts or ports, SELinux would silently block Apache, no matter the file permissions.

Try It Yourself

Check mode
getenforce

List contexts of web files
ls -Z /var/www/html

Modify context
sudo chcon -t httpd_sys_rw_content_t /var/www/html/myfile

Restore defaults
sudo restorecon -Rv /var/www/html

Explore process contexts
ps -eZ | grep sshd

Why This Matters in the Real World

Organizations trust Red Hat systems for stability and security — and SELinux is a big reason why.

When properly configured:

• SELinux stops privilege escalation attacks
• SELinux isolates services even from each other
• SELinux logs detailed security events for auditing

Learning SELinux early strengthens your Linux expertise beyond basic user-level knowledge.