Selinux¶
27 cards — 🟢 4 easy | 🟡 10 medium | 🔴 6 hard
🟢 Easy (4)¶
1. What are the three SELinux modes and what does each do?
Show answer
Enforcing: blocks and logs policy violations (production mode). Permissive: logs violations but does not block (debugging mode). Disabled: no enforcement or logging (never use in production).Remember: "SELinux = mandatory access control on top of DAC." Even root can be restricted by SELinux policy.
Fun fact: SELinux was developed by the NSA and contributed to the Linux kernel.
2. How do you check the current SELinux mode?
Show answer
Run getenforce for the simple mode name, or sestatus for detailed status including policy type and mode.Remember: "Enforcing = blocks, Permissive = logs, Disabled = off." Check with getenforce. Change temporarily with setenforce 0|1.
Gotcha: Switching from Disabled to Enforcing requires a full relabel: touch /.autorelabel && reboot.
3. What are the four fields of an SELinux security context?
Show answer
user:role:type:level. Example: system_u:system_r:httpd_t:s0. The type field (e.g., httpd_t) is where 95% of policy decisions happen.Remember: "SELinux labels have four parts: user:role:type:level." The type (third field) is what matters most for day-to-day troubleshooting.
Example: ls -Z /var/www shows httpd_sys_content_t — the type Apache is allowed to read.
4. How do you switch between SELinux enforcing and permissive modes and when should you?
Show answer
Temporarily: setenforce 0 (permissive) or setenforce 1 (enforcing) — does not survive reboot.Permanently: edit /etc/selinux/config and set SELINUX=enforcing or SELINUX=permissive.
Use permissive only for debugging — it logs denials without blocking. Switch to permissive when diagnosing AVC denials, collect the denials, create policy fixes, then switch back to enforcing. Never run permissive in production long-term.
🟡 Medium (10)¶
1. What are SELinux booleans and how do you enable one persistently?
Show answer
Booleans are toggle switches that enable/disable specific policy behaviors without writing custom policy. Enable persistently with: setsebool -P httpd_can_network_connect on (the -P flag persists across reboots).Example: chcon -t httpd_sys_content_t /var/www/mysite/index.html temporarily fixes the label. restorecon -Rv /var/www/ applies the permanent policy.
Remember: "chcon = temporary, restorecon = permanent. Always prefer restorecon."
2. Why is "semanage fcontext + restorecon" preferred over chcon for fixing file labels?
Show answer
chcon sets a temporary label that does not survive a restorecon or filesystem relabel. semanage fcontext creates a persistent rule in the policy database, and restorecon applies it. The persistent rule ensures labels are correct after any relabeling event.Example: setsebool -P httpd_can_network_connect on permanently allows Apache to make network connections.
Remember: "Booleans = SELinux feature toggles. -P = persistent across reboots."
3. How do you use audit2allow to diagnose and fix SELinux denials?
Show answer
1) Find denials: ausearch -m AVC -ts recent.2) Generate a policy module: ausearch -m AVC -ts recent | audit2allow -M myfix.
3) Review the .te file to verify it is not overly permissive.
4) Install if appropriate: semodule -i myfix.pp. Never blindly apply without reviewing.
4. How does SELinux interact with container volume mounts?
Show answer
Containers are auto-labeled with container_t. Volume mounts need the :Z (private label) or :z (shared label) suffix, e.g., podman run -v /data:/data:Z myimage. Without it, SELinux blocks the container from accessing the volume.5. What are the most commonly needed SELinux booleans for web servers?
Show answer
httpd_can_network_connect: allow HTTPD to make outbound network connections (needed for reverse proxy to backends).httpd_can_network_connect_db: allow HTTPD to connect to database ports.
httpd_use_nfs: allow HTTPD to serve files from NFS mounts.
httpd_enable_homedirs: allow HTTPD to serve user home directories.
List all booleans: getsebool -a | grep httpd. Always use setsebool -P for persistent changes.
6. How do SELinux context labels work for files and why do they matter?
Show answer
Every file has an SELinux context (ls -Z shows it). Web content needs httpd_sys_content_t, writable web dirs need httpd_sys_rw_content_t. When you copy files, the destination context is inherited from the parent directory. When you move files (mv), the original context is preserved — this is a common source of denials. Fix with restorecon -Rv /path to reset labels to the policy default for that location.7. How do you troubleshoot SELinux AVC denial messages?
Show answer
1) Find the denial: ausearch -m AVC -ts recent or journalctl -t setroubleshoot.2) Read the sealert suggestion: sealert -l
3) Check if a boolean fixes it: sesearch --allow -s httpd_t -t target_type.
4) Verify file contexts: ls -Z and compare against policy (matchpathcon path).
5) Try restorecon first (most common fix), then booleans, then custom policy as a last resort.
8. How does SELinux protect containers and what are the key considerations?
Show answer
Containers run with the container_t type, which restricts access to only container-labeled resources. Each container gets a unique MCS (Multi-Category Security) label, preventing one container from accessing another's files even if they share a volume. Key considerations: use :Z (private) or :z (shared) suffixes on volume mounts, Podman supports full SELinux integration by default, and Docker requires --security-opt label=type:container_t for custom types.9. How do you confine a custom systemd service with SELinux?
Show answer
Create a custom policy module: use audit2allow -M myapp from AVC denials in permissive mode, or write a .te policy file defining a new type (myapp_t) with required permissions. Install with semodule -i, set the binary's file context, and switch to enforcing. Test thoroughly in permissive first.10. Why does chcon not survive a relabel while semanage fcontext does?
Show answer
chcon sets the SELinux context directly on the file's extended attributes but does not update the file_contexts policy database. When restorecon runs (or a full relabel), it resets contexts to what the policy says. semanage fcontext adds a persistent rule to the policy, so restorecon applies the correct context.🔴 Hard (6)¶
1. What are the key differences between SELinux and AppArmor?
Show answer
SELinux uses label-based enforcement (labels survive file moves/renames) and ships with RHEL/CentOS. AppArmor uses path-based enforcement (simpler to reason about) and ships with Ubuntu/SUSE. SELinux supports MLS and has a steeper learning curve. AppArmor has no multi-level security.2. How do you create and enforce an AppArmor profile for a new application?
Show answer
Use aa-genprof /usr/sbin/myapp to generate a skeleton profile interactively. Run the app in complain mode to log all access patterns, then use aa-logprof to refine the profile from logs. Switch to enforce mode with aa-enforce /etc/apparmor.d/usr.sbin.myapp.3. How do you allow a service to bind to a non-standard port in SELinux?
Show answer
Use semanage port to add the port to the appropriate type.Example: semanage port -a -t http_port_t -p tcp 8090 allows httpd_t processes to bind to port 8090. Without this, SELinux blocks the bind even if the firewall allows it.
4. What is the proper workflow for creating a custom SELinux policy module?
Show answer
1) Set the domain to permissive (semanage permissive -a httpd_t) to collect all denials without blocking.2) Exercise all application functionality to trigger denials.
3) Collect denials: ausearch -m AVC -ts recent > denials.txt.
4) Generate policy: audit2allow -M mypolicy < denials.txt.
5) Review the .te file — remove overly broad rules.
6) Install: semodule -i mypolicy.pp.
7) Remove permissive: semanage permissive -d httpd_t.
8) Test in enforcing mode.
5. How do you use semanage to customize SELinux policy for non-standard configurations?
Show answer
semanage fcontext: define file context rules for custom paths (e.g., semanage fcontext -a -t httpd_sys_content_t "/srv/myapp(/.*)?" then restorecon -Rv /srv/myapp).semanage port: allow services on non-standard ports.
semanage login: map Linux users to SELinux users.
semanage boolean: manage persistent booleans.
All semanage changes persist across policy updates and relabels, unlike chcon which is temporary.
6. How does SELinux Multi-Category Security (MCS) isolate containers from each other?