How to Configure SELinux on CentOS Stream 10

To configure SELinux on CentOS Stream 10, you need to understand its current state, modes, and how to modify settings based on your requirements. This guide provides step-by-step instructions for managing SELinux, with an example of configuring Apache to work with custom settings under SELinux.

Step 1 : By default, SELinux is enabled on CentOS Stream 10. To check its current status, run:

getenforce

The output will show the current SELinux mode: Enforcing, Permissive, or Disabled.

Step 2 : For more details about the SELinux configuration, execute:

sestatus

This command provides information about the current mode, policy version, and active contexts.

Step 3 : Understand SELinux Modes

SELinux operates in three modes:

- Enforcing: SELinux policies are actively enforced. Unauthorized actions are denied.

- Permissive: Policies are not enforced but violations are logged. Useful for debugging.

- Disabled: SELinux is turned off entirely.

Step 4 : If SELinux is not required for your use case, you can disable it temporarily or permanently.

- To disable SELinux temporarily (until the next reboot), run:

sudo setenforce 0

Verify the mode using getenforce. It should now display Permissive.

- Permanently Disable SELinux

Edit the SELinux configuration file:

sudo nano /etc/selinux/config

Find the SELINUX= line and change its value to disabled:

SELINUX=disabled

For the changes to take effect, reboot the system:

sudo reboot

Step 5 : After making changes, verify the status to ensure it reflects your intended configuration:

sestatus

Step 6 : Basic SELinux Configuration Example. To demonstrate SELinux functionality, we'll configure Apache with a custom port and document root.

- Install the Apache web server:

sudo dnf install httpd -y

- Edit the Apache configuration file:

sudo nano /etc/httpd/conf/httpd.conf

- Add the following line to listen on port 8001:

Listen 8001

- Create a new configuration file for Apache and set a custom root folder, e.g., /home/example.com:

sudo nano /etc/httpd/conf.d/example.com.conf

- Add the following configuration:

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com

    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

- Create the Folder and an Index File

sudo mkdir -p /home/example.com
echo "Welcome to SELinux!" | sudo tee /home/example.com/index.html
sudo chmod -R 755 /home/example.com

- Test the Apache configuration:

sudo apachectl configtest

- If the firewall is enabled, open port 8001:

sudo firewall-cmd --permanent --add-port=8001/tcp
sudo firewall-cmd --reload

- Install SELinux management utilities:

sudo dnf install policycoreutils-python-utils -y

- Check the current SELinux ports:

sudo semanage port -l | grep -w http_port_t

Add the new port 8001 to SELinux:

sudo semanage port -a -t http_port_t -p tcp 8001

Verify the addition:

sudo semanage port -l | grep -w http_port_t

- Restart Apache:

sudo systemctl restart httpd

- Match SELinux contexts:

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/home/example.com(/.*)?"
sudo restorecon -R /home/example.com

Visit http://<your-domain>:8001 in your browser to confirm the setup.

You've successfully configured SELinux on CentOS Stream 10 and tested its functionality with Apache.