The blessing and the curse that is SELinux. Stop turning it off.
Get the right tools
yum install setroubleshoot-server selinux-policy-devel
Checking the current mode
getenforce
Edit /etc/sysconfig/selinux to switch modes. Enabled or Disabled
Switching modes requires a reboot
setenforce 0 Set to permissive
setenforce 1 Set to enforce
Context labels
- user
- role
- type
Finding issues:
SELinux logs to /var/log/audit/audit.log and /var/log/messages
grep AVC /var/log/audit/audit.log
Use semanage to change context labels.
Monitor/View SELinux on many commands with -Z option.
man semanage-fcontext has useful examples
Booleans
A boolean is an on/off-switch for a specific functionality.
Use getsebool -a for an overview
Use setsebool [-P] to change booleans
Use touch /.autorelabel to apply default context to all files and directories.
Use restorecon -R to apply default context to files and directories