Rocky 9

How to Configure SELinux on Rocky Linux 9

To configure SELinux on Rocky Linux 9, follow the steps below.

Step 1 : By default, SELinux is enabled. Verify the SELinux status using the command:

getenforce

Step 2 : To get more detailed status information, use:

sestatus

Step 3 : SELinux operates in three modes: Enforcing, Permissive, and Disabled.

- Enforcing: Enforces security policies.

- Permissive: Logs violations but doesn't enforce them.

- Disabled: SELinux is turned off.

Step 4 : Disable SELinux

If SELinux is not needed, you can disable it temporarily, permanently.

- Disable Temporarily

setenforce 0

- Disable Permanently

Edit the /etc/selinux/config file

And set SELINUX=disabled. Save the file.

- Reboot : If SELinux is disabled permanently, reboot the system.

Step 5 : Check the SELinux status to ensure it's disabled or in the desired mode.

getenforce

Basic SELinux Configuration

Step 6 : Install Apache.

dnf install httpd

Step 7 : Edit /etc/httpd/conf/httpd.conf and add Listen 8001.

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

Listen 8001

Save and exit the editor.

Step 8 : Create a configuration for port change and root folder.

sudo nano /etc/httpd/conf.d/example.conf

Add the following content:

<VirtualHost *:8001>
    ServerAdmin webmaster@example.com
    ServerName example.com
    DocumentRoot /home/example.com


    <Directory "/home/example.com">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Save and exit the editor.

Step 9 : Create the root folder and set permissions.

sudo mkdir /home/example.com
echo "<h2>example.com</h2>" > /home/example.com/index.html
sudo chown -R apache:apache /home/example.com
sudo chmod -R 755 /home/example.com

Step 10 : Test the configuration.

apachectl configtest

If the configuration is correct, you should see:

Syntax OK

Step 11 : Open firewall port if necessary.

sudo firewall-cmd --add-port=8001/tcp --permanent
sudo firewall-cmd --reload

Step 12 : Install policycoreutils-python-utils

sudo dnf install policycoreutils-python-utils

Step 13 : Check SELinux ports.

semanage port -l

Step 14 : Find specific port type.

semanage port -l | grep -w http_port_t

Step 15 : Add a new port:

semanage port -a -t http_port_t -p tcp 8001

Step 16 : Verify the port.

semanage port -l | grep 8001

You should see an entry for port 8001 with the correct SELinux type.

Step 17 : Restart Apache.

systemctl restart httpd

Step 18 : Match SELinux Contexts

semanage fcontext -a -t httpd_sys_rw_content_t "/home/example.com(/.*)?"

Step 19 : Apply SELinux Context Changes

restorecon -R -v /home/example.com

Step 20 : Open a web browser and navigate to http://your_domain_or_IP:8001 to check if the Apache server is serving content from the specified directory.

Congratulations! You have successfully configured SELinux on Rocky Linux 9.