Welcome to Day 17 of the 30 Days of Linux Challenge!
Today’s topic focuses on SELinux (Security-Enhanced Linux) — a powerful, but often misunderstood, security system built into Red Hat-based distributions.
If you’ve ever seen services randomly "fail" even when file permissions look correct... chances are SELinux was doing its job!
📚 Table of Contents
- Why SELinux Matters
- SELinux Modes Explained
- Understanding SELinux Contexts
- Managing SELinux Contexts
- SELinux and Non-Standard Ports
- Troubleshooting SELinux Issues
- Real-World Example
- Try It Yourself
- Why This Matters in the Real World
Why SELinux Matters
Linux file permissions (rwx, chown, etc.) are discretionary — the owner sets access.
But SELinux enforces mandatory access control (MAC):
- Kernel-level restrictions
- Labels on files, processes, and ports
- Strict security enforcement, even against root-owned processes
🔒 SELinux is critical for:
- Web servers (Apache, Nginx)
- Database servers (MySQL, PostgreSQL)
- Containers (Podman, Docker with SELinux support)
- Multi-tenant environments
- Systems with compliance requirements (PCI-DSS, HIPAA, FISMA)
SELinux Modes Explained
Check SELinux mode:
getenforce
Modes:
Mode Meaning
Enforcing SELinux policies are actively enforced
Permissive Violations are logged, but not blocked
Disabled SELinux engine is turned off
Temporarily switch modes:
sudo setenforce 0 # Permissive
sudo setenforce 1 # Enforcing
Permanently set mode:
Edit /etc/selinux/config and adjust:
SELINUX=enforcing
Understanding SELinux Contexts
Every file, directory, and process has a context (security label).
View file contexts:
ls -Z /var/www/html
Example output:
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html
Label Meaning
system_u SELinux user
object_r SELinux role
httpd_sys_content_t SELinux type (controls access)
s0 SELinux security level
🛡️ Type is usually the most important — Apache must only access files labeled with httpd_sys_content_t.
Managing SELinux Contexts
Change context (temporary):
sudo chcon -t httpd_sys_content_t /var/www/html/index.html
Restore default context:
sudo restorecon -v /var/www/html/index.html
View process contexts:
ps -eZ | grep sshd
SELinux and Non-Standard Ports
Services like Apache usually use port 80, but what if you want port 8080?
List known port contexts:
sudo semanage port -l
Add new port:
sudo semanage port -a -t http_port_t -p tcp 8080
If semanage is missing:
sudo dnf install policycoreutils-python-utils
Troubleshooting SELinux Issues
🔍 View recent SELinux denials:
sudo ausearch -m AVC,USER_AVC -ts recent
Or:
sudo journalctl | grep SELinux
Audit logs:
sudo cat /var/log/audit/audit.log
Tip:
Install setroubleshoot-server to analyze logs:
sudo dnf install setroubleshoot-server
sudo sealert -a /var/log/audit/audit.log
It will give human-readable explanations of denials.
Real-World Example
Problem: Apache (httpd) cannot read files in /custom/html, even though permissions are correct.
Solution:
Check SELinux context:
ls -Z /custom/html
Set correct type:
sudo chcon -t httpd_sys_content_t /custom/html/*
sudo restorecon -Rv /custom/html
If using a custom port like 8080:
sudo semanage port -a -t http_port_t -p tcp 8080
Without adjusting contexts or ports, SELinux would silently block Apache, no matter the file permissions.
Try It Yourself
Check mode
getenforce
List contexts of web files
ls -Z /var/www/html
Modify context
sudo chcon -t httpd_sys_rw_content_t /var/www/html/myfile
Restore defaults
sudo restorecon -Rv /var/www/html
Explore process contexts
ps -eZ | grep sshd
Why This Matters in the Real World
Organizations trust Red Hat systems for stability and security — and SELinux is a big reason why.
When properly configured:
- SELinux stops privilege escalation attacks
- SELinux isolates services even from each other
- SELinux logs detailed security events for auditing
Learning SELinux early strengthens your Linux expertise beyond basic user-level knowledge.