How to Configure SELinux on Fedora 39

To configure SELinux on Fedora 39, follow these steps:

Step 1 : By default, SELinux is enabled. Verify its status using the following command:

getenforce

Step 2 : Obtain detailed SELinux status information with the following command:

sestatus

Step 3 : Understand SELinux Modes - Enforcing, Permissive, Disabled:

- Enforcing: SELinux actively denies actions that violate the security policy.

- Permissive: SELinux logs actions that would be denied in enforcing mode but allows them to occur.

- Disabled: SELinux is completely turned off, and no policy is enforced.

Step 4 : Disable SELinux if not needed for any specific reason:

- Temporarily disable SELinux (valid until the next system reboot):

setenforce 0

- Permanently disable SELinux (requires a system reboot): Edit the /etc/selinux/config file and set SELINUX=disabled.

- If permanently disabling SELinux, reboot the system for changes to take effect:

reboot

Step 5 : Check the current SELinux status:

getenforce

Basic SELinux Configuration

Step 6 : Install Apache as an example:

sudo dnf install httpd

Step 7 : Edit the Apache configuration file.

sudo nano /etc/httpd/conf/httpd.conf

Add the line:

Listen 8001

Step 8 : Configure Apache with a different port and root folder:

- Create a configuration file for the new site (e.g., /etc/httpd/conf.d/example.conf):

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com


    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Step 9 : Create a folder and an index file:

mkdir /home/example.com
echo "<h2>example.com</h2>" > /home/example.com/index.html

Step 10 : Set appropriate permissions:

sudo chown -R apache:apache /home/example.com
sudo chmod -R 755 /home/example.com

Step 11 : Open the required port in the firewall if necessary:

sudo firewall-cmd --add-port=8001/tcp --permanent
sudo firewall-cmd --reload

Step 12 : List SELinux ports:

semanage port -l

Step 13 : Filter SELinux port information:

semanage port -l | grep -w http_port_t

Step 14 : Allow Apache to use the new port:

semanage port -a -t http_port_t -p tcp 8001

Step 15 : Verify the updated port configuration:

semanage port -l | grep -w http_port_t

Step 16 : Use matchpathcon to compare the new directory with the default Apache directory:

matchpathcon /var/www/html /home/example.com

Step 17 : Match SELinux contexts for the new directory:

sudo semanage fcontext -a -t httpd_sys_content_t "/home/example.com(/.*)?"

Step 18 : Run restorecon to Apply Label Changes

restorecon -R -v /home/example.com/

Step 19 : Test and restart Apache.

sudo apachectl configtest
sudo systemctl restart httpd

Step 20 : Visit your domain at port 8001 and verify the results.

You have successfully configured SELinux on Fedora 39