Your shopping cart is empty.


Getting SELinux working can be tough. Here are some commands I found useful.

Is SELinux enabled?


Disable SELinux without reboot (and only until the next reboot):

setenforce Permissive

Disable SELinux persistent:

vi /etc/sysconfig/selinux

Show the security context of a file:

ls -lZ

Copy the context from one file to another:

chcon --reference=<source> <destination>

Create a rule from an audit log (contained in /tmp/selinux):

/usr/bin/audit2allow -i /tmp/selinux

Explain an audit log (that appears in dmesg):

/usr/bin/audit2why -d

Reading an audit entry:

Jun 21 16:13:16 soldier kernel: audit(1182456796.114:8413): avc: denied { read } for pid=2692 comm="sendmail" name="[2063705]" dev=eventpollfs ino=2063705 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file

  • scontext is the source security context (what SELinux needs to allow access)
  • tcontext is for target security context (what was actually on the file)
  • tclass is the target security class

Show all SELinux boolean settings:

/usr/sbin/getsebool -a

Set an SELinux boolean (permanently):

/usr/sbin/setsebool -P spamassassin_can_network=1

To relabel based on an RPM's directions:

fixfiles -R mailman restore

To relabel the entire filesystem:

fixfiles relabel