How to Configure SELinux on AlmaLinux 9

SELinux (Security-Enhanced Linux) adds an extra layer of security to your system by enforcing mandatory access controls.

To configure SELinux on AlmaLinux 9, use the following steps:

Step 1: Check SELinux Status

By default, SELinux is enabled on AlmaLinux. To confirm its status, run:

getenforce

Step 2: Display Detailed SELinux Information

For a more comprehensive view of SELinux settings, use:

sestatus

Step 3: Understand SELinux Modes

SELinux operates in three modes:

Enforcing: Strict policy enforcement.
Permissive: Logs policy violations but does not enforce them.
Disabled: SELinux is turned off.

Step 4: Disable SELinux

If you need to disable SELinux for any reason, follow these steps.

Temporarily Disable SELinux

sudo setenforce 0

Permanently Disable SELinux

Edit /etc/selinux/config and set:

SELINUX=disabled

Reboot the System

After disabling SELinux permanently, reboot your system for the changes to take effect.

Step 5: Verify SELinux Status

Ensure that SELinux is properly configured by checking its status again:

sestatus

Step 6: Example Setup with Apache

As a practical example, we will configure Apache to listen on port 8001 and host a website in a custom directory.

Install the Apache

sudo dnf install httpd -y

Update Apache Configuration

Edit /etc/httpd/conf/httpd.conf and add:

Listen 8001

Create a Custom Virtual Host

Create a new Apache configuration file:

 sudo nano /etc/httpd/conf.d/example.com.conf

Add the following content:

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com

    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Prepare the Web Root

Create the document root and set proper permissions:

mkdir /home/example.com
echo "Hello, SELinux!" > /home/example.com/index.html
chmod -R 755 /home/example.com

Open Firewall for the New Port

If the firewall is active, allow traffic on port 8001:

sudo firewall-cmd --permanent --add-port=8001/tcp
sudo firewall-cmd --reload

Install Required SELinux Utilities

Ensure you have the necessary tools for SELinux management:

sudo dnf install policycoreutils-python-utils -y

Manage SELinux Port Definitions

Check the current SELinux port settings:

semanage port -l | grep http_port_t

Add a Custom Port Definition

If the port is not allowed, run:

sudo semanage port -a -t http_port_t -p tcp 8001

Verify the New Port Definition

Check if the port has been added successfully:

semanage port -l | grep 8001

Restart Apache

Apply the changes and restart Apache:

systemctl restart httpd

Adjust SELinux Context for the Custom Directory

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/home/example.com(/.*)?"
sudo restorecon -R /home/example.com

Step 7: Access Your Website

You can now access your Apache server at:

http://your-domain:8001

If everything is set up correctly, you should see "Hello, SELinux!"

Conclusion

By following these steps, you can configure and optimize SELinux for enhanced security on AlmaLinux 9.

Ubuntu

Fedora

CentOS

Debian

Rocky Linux

DevOps

Database

Other

How to Configure SELinux on AlmaLinux 9