Category Archives: selinux

selinux cheat sheet

To list all sebooleans currently on (allowed)

getsebool -a | grep 'on$'

To list all sebooleans currently off (disallowed)

getsebool -a | grep 'off$'

To list all current booleans with their discriptions

semanage boolean -l

List your default port info with

semanage port -l

If you want to change a port on a SELinux system, you have to tell selinux about this change.
e.g. semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

temporarily switch between permissive or enforcing (It will revert back to default on a reboot.)

setenforce 0 (permissive)

setenforce 1 (enforcing)

sestatus will give you your current status

To set the level permanently edit your /etc/selinux/config file.

Copy a security context from 1 file or directory to another with

chcon [OPTION]… –reference=RFILE FILE…

e.g. chcon -R –reference=/default/web/dir /other/web/dir (will recursively copy the permissions from default web dir to new web dir.)


change the label of /other/web/dir, recursively, to the httpd_sys_content_t type in order to grant Apache read-only access to that directory and its contents:
semanage fcontext -a -t httpd_sys_content_t “/other/web/dir(/.*)?”
Apply the selinux policy created with
restorecon -R -v /other/web/dir

List current security on files and dirs with ls -Z

Turn booleans on or off with

e.g. setsebool -P allow_ftpd_anon_write=1 or 0

Get a report on all selinux denials with

aureport -a

Get a report on current selinux denials with recommendations.

sealert -a /var/log/audit/audit.log  (for this I think you need setroubleshoot installed.)

From the manpage

setsebool – set SELinux boolean value
setsebool [ -PNV ] boolean value | bool1=val1 bool2=val2 …
setsebool  sets the current state of a particular SELinux boolean or a list of booleans to a given value. The value may be 1 or true or on to enable the boolean, or 0
or false or off to disable it.
Without the -P option, only the current boolean value is affected; the boot-time default settings are  not changed.
If the -P option is given, all pending values are written to the policy file on disk. So they will be persistent across reboots.
If the -N option is given, the policy on disk is not reloaded into the kernel.
If the -V option is given, verbose error messages will be printed from semanage libraries.