Software >> OS >> Unix >> Linux >> RHEL >> 7 >> Security >> SELINUX >> quick reference


Purpose File/Command Remarks
selinux configuration


or the softlink


get selinux state/mode


#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
view labels (security context) of files ls -Z path  
view labels (security context) of processes ps -Z  
view labels (security context) of ports netstat -Z  
 set selinux to permissive mode setenforce 0 change is not persistent, does not persist after reboot
 set selinux to enforcing mode setenforce 1 change is not persistent, does not persist after reboot
 show full selinux status sestatus -v  

 set selinux to specific mode for specific label

e.g. set selinux to permissive for label httpd_t

 semanage permissive -a httpd_t -a for add
get all selinux boolean values getsebool -a shows off or on state of the selinux settings
set selinux boolean value for a setting e.g. ftpd_anon_write setsebool -P ftpd_anon_write on -P => persistent
trace what boolean changes were made /etc/selinux/targeted/modules/active/booleans.local  
show mapping of linux user to selinux user semanage login -l  
show list of selinux users

seinfo -u


semanage user -l

map a linux user to selinux user semanage login -a -s staff_u jdoe map linux user jdoe to selinux user staff_u
-a => add
-s => selinux user
change user security context for a file chcon -u selinux_user filename ls -Z filename to confirm after the change
show process security context ps -axZ  
restore file(s) to their default selinux security context restorecon filepath(s)  
show what ports are allowed for a process context label

e.g. for httpd

semanage port -l | grep http

show roles in the domain seinfo -adomain -r  
list all types associated to a role

seinfo -rrole -x


seinfo -rstaff_r -x


Allow binding to new port for particular service e.g. httpd
semanage port -a -t http_port_t -p tcp 2222
Override the policy for existing port
semanage port -m -t unreserved_port_t -p tcp 2222
List all ports semanage port -l  
To list port numbers of a specific port like http
semanage port -l | grep -w http_port_t
Find port names for specific port number
semanage port -l | grep 53
Delete a port
semanage port -d -t unreserved_port_t -p tcp 2222
Delete a range of ports
semanage port -d -t http_port_t -p tcp 2223-2225

 Q. What are the components of selinux security context


  1. SELinux user
  2. SELinux role
  3. Type
  4. Sensitivity / category


SELinux user : unconfined_u
SELinux role : object_r
Type : default_t
Sensivity : s0