How to Configure SELinux on CentOS Stream 9

To configure SELinux on CentOS Stream 9, follow the steps below.

Step 1 : SELinux is enabled by default. Check the current status using the command:

getenforce

Step 2 : Display SELinux status details:

sestatus

Step 3 : SELinux Modes:

  • Enforcing: Enforces access controls and denies policy violations.
  • Permissive: Logs policy violations but allows them to occur.
  • Disabled: SELinux is turned off.

Step 4 : Disable SELinux:

- Disable temporarily:

setenforce 0

- Disable permanently:

Edit /etc/selinux/config

And set SELINUX=disabled.

- If disabled permanently, reboot the system.

Step 5 : Check the status again:

getenforce

Step 6 : Basic SELinux Configuration (Example using Apache):

- Install Apache:

sudo yum install httpd

- Edit /etc/httpd/conf/httpd.conf and add:

Listen 8001

- Create a custom configuration for port 8001 and set the root folder to /home/example.com. Create a new configuration file : /etc/httpd/conf.d/example.com.conf:

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com

    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

- Create the index file and set permissions using chmod:

mkdir /home/example.com
echo "Hello, SELinux!" > /home/example.com/index.html
sudo chown -R apache:apache /home/example.com
chmod -R 755 /home/example.com

- Test the configuration:

apachectl configtest

- If using a firewall, open the configured port:

sudo firewall-cmd --permanent --add-port=8001/tcp
sudo firewall-cmd --reload

- Install policycoreutils-python-utils

sudo yum install policycoreutils-python-utils

- View the current port settings:

semanage port -l

- Filter and check for the port type:

semanage port -l | grep -w http_port_t

- Add a new port context:

sudo semanage port -a -t http_port_t -p tcp 8001

- Verify the port settings:

semanage port -l | grep -w http_port_t

- Restart Apache:

sudo systemctl restart httpd

- Match SELinux contexts:

sudo semanage fcontext -a -t httpd_sys_rw_content_t "/home/example.com(/.*)?"

- Apply the changes:

sudo restorecon -R -v /home/example.com

- Visit http://example.com:8001 in a web browser.

Congratulations! Your SELinux configuration for CentOS Stream 9 is now complete.