Manage Learn to apply best practices and optimize your operations.

SELinux tutorial: Commands and management

Learn some key commands in SELinux and some user and port management tools to get SELinux running on your Linux servers for a more secure environment.

When considering using SELinux on your servers, it helps to know some basic commands and management tools. Here, in part three of this SELinux tutorial, commands are provided to help you secure your Linux servers.




chcon is used to label a file or files with a specified security context


checkpolicy is a tool used to compile policy sources into a binary policy file. Generally it is not called directly, but invoked by the policy's Makefile.


The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.


sestatus displays the current status of SELinux, including the status (either permissive or enforcing), policy version, and the settings of all policy booleans.



Display SELinux boolean conditions


Set SElinux boolean conditions


The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.


fixfiles can be used to relabel the entire filesystem based on the current policy, or to relabel a packaged application's files based on the information included in that application's rpm package.


Beside these new SELinux commands, some built-in Linux commands like cp,mv,ls and ps are modified along with enablement of SELinux to use –Z flag.Also id command is modified to diplay user's security context alongwith default security attributes of user. 

SELinux configuration tricks
Beside the security context management for files and individual processes on Linux server, SELinux has more security features. It is nearly impossible to cover each and every capability of SELinux and underlying flask security model in this article, but I’ve highlighted the key ones here.

Port management: You can manage access to your system's ports through SELinux. By default SELinux allows access to default ports for applications (for example port 22 for ssh), but once SELinux is enabled, you can reconfigure any application to listen to any non-default port as well.

To get full list of SELinux managed ports, you can use following command:

#/home/root>semanage port –l

To change ssh to listen to port 24 instead of 22

#/home/root> semanage port –a –t ssh_port_t –p tcp 24

Then restart ssh related services.

User management: You can  make your server "really hard to break" with the help of strict user management features of  SELinux.They can play an important role in any SELinux policy. However in targeted policy (default SELinux policy), every domain runs in a single role and TE is used to separate the confined processes from other processes.

So, in the targeted SELinux policy, processes and objects are always appear as system_u, and all default Linux users as user_u as shown below

Click on image for larger version

But in a strict policy, some system accounts may run under a generic, unprivileged user_u identity, while other accounts may have direct identities in the policy database.

Customized Policy Modules: Sometimes we may face situation where built in SELinux policies and boolean conditions may not be sufficient. In this kind of situation, we can make use of the audit2allow command to definee our own customized SELinux policy. For example, if denial errors are logged in audit log for any ftp related services , we can use following syntax to generate our own customized SELinux policy module:

#/home/root> # grep ftpd_t /var/log/audit/audit.log | audit2allow -M ftplocal

Later on this customized ftp related policy module can be loaded into current SELinux targeted policy as follows:

#/home/root> semodule –i ftplocal

SELinux has been ignored by many administrators due to lack of documentation and skills. But, the permissive mode of SELinux with default targeted policy is a safe starting point for any Linux administrator. If you are ready to test it out, I advise running it for a few days, observe the logs for any recururring errors or warnings, and if there are no errors, switch to enforcing mode.

It is also worth noting that if you are running some specific databases or applications (like MySql or Oracle), you should look into version-specific docuementation for SELinux related instructions before enforcing SELinux policies on your server.

ABOUT THE AUTHOR: Khurram Shiraz is Technical Consultant at GBM Kuwait. He has worked with high availability technologies and monitoring products such as HACMP, RHEL Clusters and ITM,and implemented IBM & EMC SAN/ NAS Storage. He also designs and implements high availability, parallel computing and DR solutions based on IBM pSeries, Linux and Windows infrastructure.

Dig Deeper on Linux servers

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

newrole is on the list twice