SELinux Commands

SELinux security context management, booleans, and policy commands.

Status & Mode

getenforce

Show current SELinux mode

sestatus

Show detailed SELinux status

sestatus -v

Show verbose SELinux status

cat /etc/selinux/config

View SELinux configuration

sudo setenforce 1

Set SELinux to enforcing mode

sudo setenforce 0

Set SELinux to permissive mode

sudo setenforce Enforcing

Alternative enforcing command

sudo setenforce Permissive

Alternative permissive command

File Contexts

ls -Z /path/to/file

Show SELinux context of file

ls -laZ /path/to/dir

Show contexts of directory contents

sudo chcon -t httpd_sys_content_t /var/www/html/file

Change file type context

sudo chcon -R -t httpd_sys_content_t /var/www/html/

Recursively change context

sudo chcon --reference=/var/www/html /path/to/file

Copy context from reference

sudo restorecon -v /path/to/file

Restore default file context

sudo restorecon -Rv /path/to/dir

Recursively restore contexts

matchpathcon /path/to/file

Show expected context for path

Policy Management

sudo semanage fcontext -l

List all file context mappings

sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

Add file context rule

sudo semanage fcontext -d "/web(/.*)?"

Delete file context rule

sudo semanage fcontext -m -t httpd_sys_rw_content_t "/web(/.*)?"

Modify file context rule

sudo semanage permissive -a httpd_t

Make domain permissive

sudo semanage permissive -d httpd_t

Remove domain from permissive

sudo semanage permissive -l

List permissive domains

Boolean Management

getsebool -a

List all SELinux booleans

getsebool httpd_can_network_connect

Get specific boolean value

sudo setsebool httpd_can_network_connect on

Enable boolean (temporary)

sudo setsebool -P httpd_can_network_connect on

Enable boolean (permanent)

sudo setsebool -P httpd_can_network_connect off

Disable boolean (permanent)

semanage boolean -l

List booleans with descriptions

semanage boolean -l | grep httpd

Search for httpd booleans

Port Management

sudo semanage port -l

List all port type definitions

sudo semanage port -l | grep http

Search for http port types

sudo semanage port -a -t http_port_t -p tcp 8080

Add port to http_port_t

sudo semanage port -d -t http_port_t -p tcp 8080

Delete port from type

sudo semanage port -m -t http_port_t -p tcp 8080

Modify port type

seinfo --portcon=80

Show port context for port 80

Process & Domain

ps auxZ

Show all processes with SELinux context

ps -eZ | grep httpd

Show httpd process context

id -Z

Show current user SELinux context

sudo runcon -t unconfined_t command

Run command in specific context

sudo semanage login -l

List login mappings

sudo semanage user -l

List SELinux users

Troubleshooting

sudo ausearch -m avc -ts recent

Search recent AVC denials

sudo ausearch -m avc -ts today

Search today's AVC denials

sudo ausearch -m avc -c httpd

Search denials for httpd

sudo audit2why < /var/log/audit/audit.log

Explain audit denials

sudo sealert -a /var/log/audit/audit.log

Analyze audit log (GUI tool)

sudo cat /var/log/audit/audit.log | audit2allow -m mymodule

Generate policy module

sudo grep "denied" /var/log/audit/audit.log

Find denied operations

journalctl -t setroubleshoot

View setroubleshoot journal

Module Management

sudo semodule -l

List installed policy modules

sudo semodule -i mymodule.pp

Install policy module

sudo semodule -r mymodule

Remove policy module

sudo semodule -B

Rebuild and reload policy

sudo semodule -d mymodule

Disable policy module

sudo semodule -e mymodule

Enable policy module

checkmodule -M -m -o mymodule.mod mymodule.te

Compile type enforcement

semodule_package -o mymodule.pp -m mymodule.mod

Create policy package

Policy Generation

sudo audit2allow -a -M mymodule

Generate module from all denials

sudo audit2allow -i /var/log/audit/audit.log -M mymodule

Generate from audit log

sudo ausearch -m avc | audit2allow -M mymodule

Generate from recent denials

sudo semodule -i mymodule.pp

Install generated module

audit2allow -w -a

Show why denials occurred

audit2allow -R -a

Generate with reference policy

Network & Services

sudo semanage port -l | grep ssh

Check SSH port label

sudo setsebool -P httpd_can_network_connect_db on

Allow httpd to connect to DB

sudo setsebool -P httpd_can_sendmail on

Allow httpd to send mail

sudo setsebool -P httpd_use_nfs on

Allow httpd to use NFS

sudo setsebool -P allow_ftpd_full_access on

Allow FTP full access

sudo setsebool -P samba_enable_home_dirs on

Allow Samba home dirs

Configuration Files

sudo nano /etc/selinux/config

Edit SELinux config (requires reboot)

ls /etc/selinux/

List SELinux config directory

cat /etc/selinux/targeted/contexts/files/file_contexts

View file contexts

ls /var/log/audit/

List audit logs

sudo touch /.autorelabel

Force relabel on next boot

Common Booleans

sudo setsebool -P httpd_can_network_connect 1

Allow httpd outbound connections

sudo setsebool -P httpd_read_user_content 1

Allow httpd to read user content

sudo setsebool -P named_write_master_zones 1

Allow named zone writes

sudo setsebool -P mysql_connect_any 1

Allow MySQL any connections

sudo setsebool -P virt_use_nfs 1

Allow VMs to use NFS

sudo setsebool -P container_manage_cgroup 1

Allow containers cgroup access

© 2026 CHAI WEN TAH
Last build: Jan 13, 2026