How to Configure SELinux on Fedora 39

To configure SELinux on Fedora 39, follow these steps:

Step 1 : By default, SELinux is enabled. Verify its status using the following command:

getenforce

Step 2 : Obtain detailed SELinux status information with the following command:

sestatus

Step 3 : Understand SELinux Modes - Enforcing, Permissive, Disabled:

- Enforcing: SELinux actively denies actions that violate the security policy.

- Permissive: SELinux logs actions that would be denied in enforcing mode but allows them to occur.

- Disabled: SELinux is completely turned off, and no policy is enforced.

Step 4 : Disable SELinux if not needed for any specific reason:

- Temporarily disable SELinux (valid until the next system reboot):

setenforce 0

- Permanently disable SELinux (requires a system reboot): Edit the /etc/selinux/config file and set SELINUX=disabled.

- If permanently disabling SELinux, reboot the system for changes to take effect:

reboot

Step 5 : Check the current SELinux status:

getenforce

Basic SELinux Configuration

Step 6 : Install Apache as an example:

sudo dnf install httpd

Step 7 : Edit the Apache configuration file.

sudo nano /etc/httpd/conf/httpd.conf

Add the line:

Listen 8001

Step 8 : Configure Apache with a different port and root folder:

- Create a configuration file for the new site (e.g., /etc/httpd/conf.d/example.conf):

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com


    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Step 9 : Create a folder and an index file:

mkdir /home/example.com
echo "<h2>example.com</h2>" > /home/example.com/index.html

Step 10 : Set appropriate permissions:

sudo chown -R apache:apache /home/example.com
sudo chmod -R 755 /home/example.com

Step 11 : Open the required port in the firewall if necessary:

sudo firewall-cmd --add-port=8001/tcp --permanent
sudo firewall-cmd --reload

Step 12 : List SELinux ports:

semanage port -l

Step 13 : Filter SELinux port information:

semanage port -l | grep -w http_port_t

Step 14 : Allow Apache to use the new port:

semanage port -a -t http_port_t -p tcp 8001

Step 15 : Verify the updated port configuration:

semanage port -l | grep -w http_port_t

Step 16 : Use matchpathcon to compare the new directory with the default Apache directory:

matchpathcon /var/www/html /home/example.com

Step 17 : Match SELinux contexts for the new directory:

sudo semanage fcontext -a -t httpd_sys_content_t "/home/example.com(/.*)?"

Step 18 : Run restorecon to Apply Label Changes

restorecon -R -v /home/example.com/

Step 19 : Test and restart Apache.

sudo apachectl configtest
sudo systemctl restart httpd

Step 20 : Visit your domain at port 8001 and verify the results.

You have successfully configured SELinux on Fedora 39

DevOps

Database

Other

How to Configure SELinux on Fedora 39

Basic SELinux Configuration