To list all sebooleans currently on (allowed)
getsebool -a | grep 'on$'
To list all sebooleans currently off (disallowed)
getsebool -a | grep 'off$'
To list all current booleans with their discriptions
semanage boolean -l
List your default port info with
semanage port -l
If you want to change a port on a SELinux system, you have to tell selinux about this change.
e.g. semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
temporarily switch between permissive or enforcing (It will revert back to default on a reboot.)
setenforce 0 (permissive)
setenforce 1 (enforcing)
sestatus will give you your current status
To set the level permanently edit your /etc/selinux/config file.
Copy a security context from 1 file or directory to another with
chcon [OPTION]… –reference=RFILE FILE…
e.g. chcon -R –reference=/default/web/dir /other/web/dir (will recursively copy the permissions from default web dir to new web dir.)
change the label of /other/web/dir, recursively, to the httpd_sys_content_t type in order to grant Apache read-only access to that directory and its contents:
semanage fcontext -a -t httpd_sys_content_t “/other/web/dir(/.*)?”
Apply the selinux policy created with
restorecon -R -v /other/web/dir
List current security on files and dirs with ls -Z
Turn booleans on or off with
e.g. setsebool -P allow_ftpd_anon_write=1 or 0
Get a report on all selinux denials with
Get a report on current selinux denials with recommendations.
sealert -a /var/log/audit/audit.log (for this I think you need setroubleshoot installed.)
From the manpage
setsebool – set SELinux boolean value
setsebool [ -PNV ] boolean value | bool1=val1 bool2=val2 …
setsebool sets the current state of a particular SELinux boolean or a list of booleans to a given value. The value may be 1 or true or on to enable the boolean, or 0
or false or off to disable it.
Without the -P option, only the current boolean value is affected; the boot-time default settings are not changed.
If the -P option is given, all pending values are written to the policy file on disk. So they will be persistent across reboots.
If the -N option is given, the policy on disk is not reloaded into the kernel.
If the -V option is given, verbose error messages will be printed from semanage libraries.