Skip to content

SELinux Cheatsheet

This cheatsheet has been written, go figure, with RHEL and Fedora in mind. Not that other distributions won't apply exactly, I just haven't tested it on anything else as of yet. Aside from the packages required, everything else should be identical.

SETUP

REQUIRED PACKAGES

Run yum info PACKAGENAME for more details, as not all packages may be useful to you

    sudo yum install setroubleshoot \
            setroubleshoot-plugins \
            setroubleshoot-server \
            policycoreutils \
            setools setools-gui\
            setools-console \
            mcstrans

USING SELINUX

CHECKING & SETTING SELINUX STATUS

  • Get SELinux status

    sudo sestatus
    
  • Get enforcing status

    sudo getenforce
    
  • Set SELinux to enforcing

    sudo setenforce 1
    
  • Set SELinux to permissive

    sudo setenforce 0
    

LABELLING

  • Check file's label to the original default label

    sudo matchpathcon -V /path/to/file(s)
    
  • Reset context / Reset context Recursively

    sudo restorecon -v /path/to/file(s)
    sudo restorecon -R -v /path/to/file(s)
    
  • MORE TO COME!

AUDIT TOOLS

  • Launch SETroubleshoot Browser

    sudo sealert -b
    
  • View AVC denials from log via sealert

    sudo sealert -a /var/log/audit/audit.log
    
  • View AVC denails from log via ausearch

    sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i
    

FURTHER READING & REFERENCES