Fedora 40

How to Configure SELinux on Fedora 40

To configure SELinux on Fedora 40, follow the steps below.

Step 1 : By default, SELinux is enabled. Check the SELinux status using:

getenforce

Step 2 : Additionally, you can use the sestatus command to get detailed SELinux status information.

sestatus

Step 3 : SELinux Modes:

- Enforcing: SELinux policy is enforced.

- Permissive: SELinux prints warnings instead of enforcing.

- Disabled: SELinux is fully disabled.

Step 4 : Disable SELinux:

- Temporarily disable SELinux:

sudo setenforce 0

4b: Permanently disable SELinux:

Edit /etc/selinux/config

sudo nano /etc/selinux/config

- And set SELINUX=disabled.

SELINUX=disabled

- If you permanently disable SELinux, a reboot is required.

sudo reboot

Step 5 : Check the SELinux status again to verify changes:

getenforce

Step 6 : Basic SELinux Configuration:

- Install Apache for demonstration purposes:

sudo dnf install httpd

- Edit the Apache configuration file /etc/httpd/conf/httpd.conf and add:

Listen 8001

- Create a new configuration file, for example:

sudo nano /etc/httpd/conf.d/example.conf

- Inside this file, define the configuration for your virtual host.

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com


    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

- Create the folder and index file:

mkdir /home/example.com
echo "<h2>example.com</h2>" > /home/example.com/index.html

- And set appropriate permissions:

sudo chown -R apache:apache /home/example.com
sudo chmod -R 755 /home/example.com

- If using a firewall, open the new port:

sudo firewall-cmd --add-port=8001/tcp --permanent
sudo firewall-cmd --reload

- Check SELinux port context for http:

semanage port -l | grep -w http_port_t

- Add a new port for SELinux:

sudo semanage port -a -t http_port_t -p tcp 8001

- Check the port again to confirm the addition:

semanage port -l | grep -w 8001

- Use matchpathcon to compare the newly created directory with the default Apache root:

matchpathcon /var/www/html /home/example.com

- Match SELinux contexts:

sudo semanage fcontext -a -t httpd_sys_content_t "/home/example.com(/.*)?"

- Apply SELinux context changes:

sudo restorecon -R -v /home/example.com/

- Test the Apache configuration.

sudo apachectl configtest
sudo systemctl restart httpd

- Visit the domain with the new port to check if the changes are effective.

Congratulations! You have successfully configured SELinux on Fedora 40.