Table of content

SELinux in Linux

Security-Enhanced Linux is a kernel security cluster that gives a technique for providing access control security policies, and compulsory access controls.

It is a project of the United States National Security Agency and the SELinux group.

Installing SELinux utils in the ubuntu

SELinux Options

The options under SELinux are:

  • Enforcing = Enabled - It is enabled automatically in CentOS, Redhat, and Fedora.
  • Permissive = Disabled - It logs the activity.
  • Disabled = Disabled - It does not log activity.

To check the SELinux, run the command:





SELinux Setting

To set the SELinux to Permissive/Disabled we have to make the setenforce 0. To enable it back, we have to make the setenforce 1.

These settings are temporary and are no longer there once we reboot the system.

To make the setting permanent, modify the file /etc/selinux/config.orig and make the changes:



Before changing the SELinux config file, create a snapshot of the VM.

Before rebooting the system, create a file /.autorelabel.

The main concepts of SELinux are:

  • Labeling - The labeling is of types: user, role, type and level.
  • Type enforcement.

To list the label of /usr/sbin/httpd, run the command:

ls -lz /usr/sbin/httpd


Here, user - system_u.

role - object_r.

type - httpd_exec_t.

level - s0.

To list the label of a directory /etc/httpd, run the command:

ls -dz /etc/httpd


To check the label of a process for example: httpd, run the command:

ps axZ | grep httpd


To check the label at the socket level, run the command:

netstat -tnlpZ | grep http


Command to manage SELinux setting is semanage. This can be used to change the following parameters:

  • label
  • login
  • user
  • port
  • interface
  • module
  • node
  • file context
  • boolean
  • permissive state
  • dontaudit


The boolean is a switch with the ON/OFF mode. There are pre-existing out of box Booleans that come with SELinux.

For example, The FTP server accessing the home directories is determined by the ON/OFF mode of boolean. Or, an httpd can interact with LDAP depending on the boolean mode.

To get a list of all booleans, run the command:

getsebool -a


semanage boolean -l

To enable or turn on booleans, run the command:

setsebool -P boolean_name on

For example, to make httpd connect to ftp, turn on the boolean with the command:

setsebool -P httpd_can_connect_ftp on

To get the boolean mode after connection of httpd with FTP, run the command:

getsebool -a | grep httpd_can_connect_ftp


Verify the error messages related to SELinux, run the command:


To modify the type in a label, run the command:

chcon -t httpd_sys_content_t FILENAME


semanage -t httpd_sys_content_t FILENAME

To disable SELinux, run the command:

vi /etc/selinux/config.orig

As the editor opens in INSERT mode, add the line:


Save and exit.


Then, reboot the system with the command:


Again login root, run the command:



About Author :

Myself Debomita Bhattacharjee, an IT employee with 6+ years of experience in Software industry. My area of interest is Automation testing and Front End Development.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions