How to use semanage and avoid disabling SELinux

Jack Wallen introduces you to three semanage commands that will help make dealing with SELinux considerably easier.


Image: iStock/iBrave

I get it--SELinux is challenging, and when your applications or services are prevented by the security layer, your first inclination is to set it to either Disabled or Permissive. In a time when security is at a premium, you can't afford to make that change, else you risk the security of your entire system or your network. You don't want that.

Instead of putting everything at risk, why not make use of a tool that can help you out? That tool is semanage, which is the SELinux policy management tool. With semanage, you can adjust file contexts, port contexts and booleans, which will go a long way to help you make things workable, while not disabling the security system.

I want to introduce you to the following commands:

  • semanage boolean

  • semanage fcontext

  • semanage port

Once you know these commands, you should be able to better work with SELinux on your Linux systems.

SEE: Linux service control commands (TechRepublic Premium)

What you'll need

  • A running instance of Linux (that uses SELinux)  
  • A user with sudo privileges

How to use semanage boolean

With semanage boolean, you can enable and disable sets of allow rules, which makes it possible to allow different rule sets for different use cases. For example, say you have a web server that must allow the reading of user content, such as data from their home directories. Out of the box, SELinux isn't going to allow for that. With the semanage boolean command, you can enable that feature.

You can use the semanage boolean command to list out all available HTTP-related policies with the command:

sudo semanage boolean -l | grep httpd

You will see several entries like:

httpd_read_user_content (off , off) Allow httpd to read user content

Each listing includes the name of the boolean, the boolean's current and persistent state and a description of the boolean. As you can see above, the httpd_read_user_content boolean is set to off. How do we enable it? Simple:

sudo semanage boolean -m --on httpd_read_user_content

With the -m option we're instructing SELinux that we're modifying a record (in this case httpd_read_user_context) with the option that follows (--on). 

That's it. You've just made it such that SELinux will allow the reading of user content by the web server.

If you want to list out all booleans to see what more you can do, issue the command:

sudo semanage boolean -l

How to use semanage fcontext

The semanage fcontext command is used to manage file context definitions, which contain additional information (such as SELinux user, role, type and level) to make access control decisions. File context is one of the biggest issues admins face with SELinux. You might have created a new directory to house SSH host keys, but without the correct file context, SELinux won't all SSH access to that directory.

What do you do?

You change the file context of the new directory with semanage fcontext. 

As with boolean, fcontext has policies it can work with. To see a full listing of the available policies issue the command:

sudo semanage fcontext -l

Let's continue with our example. If you want to list all SSH daemon-related policies, issue the command:

sudo semanage fcontext -l | grep sshd

In that listing you'll see the following entries:

/etc/ssh/primes regular file system_u:object_r:sshd_key_t:s0 
/etc/ssh/ssh_host.*_key regular file system_u:object_r:sshd_key_t:s0 
/etc/ssh/ssh_host.*_key\.pub regular file system_u:object_r:sshd_key_t:s0

Let's say you want to house your SSH host keys in /data/keys. You create the directory, move all the keys into the new home and change the sshd_config file to match the new mapping. When you attempt to use SSH, it fails. Why? Because /data/keys doesn't have the proper fcontext. You can fix that with the following two commands:

sudo semanage fcontext -a -t sshd_key_t '/data/keys/*.*'
sudo restorecon -r /data/keys

We have to use the restorecon command to set the security context on the new files--after we've created the new policy with semanage fcontxt. The regular expression *.* catches all files within the directory. 

How to use semanage port

As you probably can guess, semanage port allows you to run a service on a custom port. If you attempt to run a service on a custom port, the service will fail. Let's say you want to run the SSH daemon on a non-standard port. If you simply configure sshd_config for this, you'll find SELinux will block you from gaining access as SELinux isn't aware that you've made this change. 

If you want to change the SSH port to 2112:

semanage port -a -t ssh_port_t -p tcp 2112

You would then have to add the port to the firewall with the commands:

sudo firewall-cmd --add-port=2112/tcp --permanent
sudo firewall-cmd --reload

At this point you could finally SSH into the SELinux-enabled server, using the non-standard port. 

To list all of the available port policies, issue the command:

sudo semanage port -l


SELinux is a very powerful tool, one that does a great job of securing your Linux servers from unwanted changes. With that power comes a certain level of complexity. Instead of disabling SELinux or setting it to Permissive mode, get familiar with the above three commands, which should make your admin life considerably easier.

Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see