Definitely install package "setools-console". sestatus very helpful (getenforce is more specific) /var/log/audit/audit.log has the SELinux access denials, for Centos/RHEL. type=AVC messages and sometimes others. Apparently requires auditd and rsyslog services. LOGGING ON ArchLinux??? Mode disabled|permissive|enforcing set In /etc/selinux/config for reboots setenforce 0 [permissive] setenforce 1 [enforcing] SELinx Policies/Types. Centos provides for targeted, minimum, mls Targeted Policy: Confined processes run in dedicated domains. This is used "For the most part, SELinux users and roles can be ignored" (with this policy) Usuay just use user=system_u, role==object_r. If no MLS or multi-cat just use level s0. to lock down privileged server processes and setuid processes. Other processes are unconfined, nearly unlimitet, e.g. processes invoked by user shells or init (unconfirmed_t and initrc_t correspondingly, plus kernel_t). Unconfined may not allocate writable memory and execute it. Trailing "." after perms in "ls -l" means there is a SELinux context for the item. Use "ls -Z" or "ls -lZ" to display the CONTEXT in new :-delimited col. USER: ROLE : TYPE :LEVEL e.g. unconfined_u:object_r:user_home_t:s0 (LEVEL may have internal :s) where object_r is useless here (see Roles below) Similarly ps ...Z... adds a "LABEL" column with nearly context info. USER: ROLE : DOMAIN :LEVEL (n.b. DOMAIN not TYPE) domains: An access type that can be allowed/prohibited. Apparently domain names use same name space as types and end with _t. "semanage login -l" as root to list mappings from Linux users (like 'blaine') to SE users (like 'unconfined_u', incl. Linux user __default__. SE user 'user_u' by default can't run setuid apps nor running programs from home directory. "id -Z" (only usable for current user) displays context for me. useradd -Z le_user unix_user or after-unix-account-created: semanage login -a -s se_user unix_user semanage login -d u_user # to remove user mapping entries Change a mapping: semanage login -m -S targeted -s se_user -r s0 u_user # u_user may be __default__ s0 is the desired level usermod ??? Roles like 'object_r'. APPARENTLY both file contexts and SE users have (a?) SE role and SE roles are mapped to domains. e.g. system_r for daemons. RBAC is only applied to processes not files, so the _r in "ls -Z" are useless. Types like 'user_home_t' (specifies a domain for processes, a type otherwise). Example policy rule: file type value 'passwd_exec_t' has entrypoint permission so the program will execute in passwd_t domain; file type value "shadow_t" can be read/written by passwd_t domain. There is unconfined_exec_t OOTB for obvious purpose, but not used OOTB that I can find. Generally user files get types of expected directory branches like user_tmp_t, home_bin_t, user_home_t regardless whether executable or not. When you create a file it inherits from parent dir (similar to g+s dirs). N.b. this is not what restorecon will set. See restorecon elsewhere. But somehow these create privileges survive a reboot (so restorecon doesn't run upon reboot). LEVELS (complicated) with range-pairs of (sensitivity and category sets) specifying all sensitivities and categories that has access to. sensit[:cat,set][-sensit[:cat,set]] cat,sets can use . instead of , for a contiguous range of cats. RHEL MLS policy has only one sensitivity value: s0. And cats c0 to c1023 semanage maps levels to labels using file "/etc/selinux/targeted/setrans.conf" (view but do not edit!) "seinfo -t" lists all security contexts. (req. setools-console pkg) "seinfo -r" lists all security roles. (req. setools-console pkg) "matchpathcon /etc/named.conf" queries default security context??? 'chcon' or 'semanage' to change contexts. Awesome: https://wiki.centos.org/HowTos/SELinux GOTCHA!: Can not log in from console, or for KDE desktop, with SELinux active, even after following instructions at http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4626600 Work-around: Change to "SELINUX=permissive" in /etc/sysconfig/selinux, and reboot. Or disable it, per comment in the file. Per Amazon instance's sshd_config: "If you want to change the port on a SELinux system, you have to tell SELinux about this change. semanage port -a -t ssh_port_t -p tcp #PORTNUMBER http://www.cyberciti.biz/faq/centos-redhat-enterprise-linux6-change-sshd-port-number/ Lighttpd won't start with: couldn't set 'max filedescriptors' Permission denied See https://www.rajtechtips.com/tag/selinux-max-filedescriptors/ CHANGING FILE PRIVS (critical to link files to policy rules): chcon [-R] -t newgrp_t file/path # Does not survive filesystem relabel semanage fcontext -a -t atype_t 'abs/reg/exp' # ONLY update rules in /etc/selinix/contexts/files/file_context.local* # These used by setfiles fs relabels and by restorecon. matchpathcon -V file/path... restorecon [-Rv] file/path... # applies rules /etc/selinux//context/files/* /etc/selinux//context/files/* misc. specifics To remove a pattern entry run: semanage fcontext -d '/regexp' Files with no matching pattern get ultra-default type default_t (you should add a matching pattern). file_t is similar for an extended-attribute FS. matchpathcon -V file... # Reports if context ~= .../files/* rules. restorecon [-RFv] file/path -F require for the types in /etc/selinux//contexts/customizable_types -v shows what changed These preferred types are not what you get when you create files, but follows rules in the text files at /etc/selinux//contexts/files/. (Apparently 'restorecon' does not execute upon reboot). Weird that when I create new file in ~/tmp it gets user_tmp_t but when I restorecon it changes to user_home_t. ??? I DO NOT KNOW RULES FOR WHAT types GET SET NON-EXPLICITLY. RHEL/Centos has these packages: policycoreutils, selinux-policy (has base), selinux-policy-targeted Dev only???: libselinux, libselinux-utils, libselinux-python CORE OPTIONALS: setools-console, policycoreutils-python Optionals: selinux-policy-mls, setroubleshoot-server (provides "seaalert"), setools-gui (or setools incl. -gui + -console), mcstrans (to display readable levels), policycoreutils-gui All files must all get EFS-labeled before transitioning to a higher mode. FSes are automatically relabeled with sefiles when change FROM disabled (upon reboot). When going from permissive to enforcing you should create files ".autorelabel" in root directory (not all fs roots??). Check (for RHEL/Centos): grep 'SELinux is preventing' /var/log/messages GOTCHA: If system initinally installed withous selinux-polcy package, you need to run 'dracut' to update initramfs or system won't boot SELinux. Booleans allow for runtime control without modifying policies. semanage boolean -l # Lists all with cur val, default, description. getsebool {-a|bool1 bool2...} # Lists bool(s) with cur val. setsebool [-P] {on|off} # -P makes it persist across reboots Mounting mount -o context=a:b:c:e # Option says to not honor contexts in the FS itself. # Non-persistent. Use if don't trust, or if policy of nfs to nfs_t won't # work for you. (There's also a boolean that can be leveraged). mount -o defcontext=a:b:c:d # I guess applies only to newly created files. # May need a nosharecache option for multiple overriding nfs mounts. Copying files By default contexts come from rules for destination, whether that is an overridden file, parent directory, rules in /*/files/, etc. cp --preserve=context... attempts to preserve sources. cp -Z a:b:c:d x y... # Specify final context directly Moving preserves the original contexts. tar --selinux c... # Writes the contexts tar --selinux x... # Restores the contexts tar -x... | restorecon -f - # Applies system rules, ignoreing what's in tar # There is also --xattrs optoin that does SE context plus other extended attrs. sVirt uses randomly generated (but distinctive) category values cX to distinguish VMs.