Skip to content

Quiz: SELinux & AppArmor

← Back to quiz index

4 questions

L0 (1 questions)

1. What are the three SELinux modes and which one should be used in production?

Show answer Enforcing: blocks and logs policy violations — the only mode for production. Permissive: logs violations but does not block — use for debugging. Disabled: no enforcement, no logging — never in production. Check with 'getenforce' or 'sestatus'. Temporary switch with 'setenforce 0/1'. Permanent change in /etc/selinux/config.

L1 (1 questions)

1. You moved web content to /srv/myapp/ but Nginx cannot read it despite correct file permissions. What is happening?

Show answer When you move (mv) files, they keep their original SELinux label. Files in /srv/ have default_t label, but Nginx (httpd_t) can only read files labeled httpd_sys_content_t. Fix: 'semanage fcontext -a -t httpd_sys_content_t "/srv/myapp(/.*)?"' then 'restorecon -Rv /srv/myapp/'. Always use semanage + restorecon instead of chcon, which is temporary.

L2 (1 questions)

1. Nginx needs to make outbound network connections to a backend API but SELinux blocks it. How do you diagnose and fix this?

Show answer Diagnose: 'ausearch -m AVC -ts recent' or 'grep "avc: denied" /var/log/audit/audit.log' to see the denial. The denial will show httpd_t trying to connect. Fix: check if a boolean exists first — 'getsebool httpd_can_network_connect'. Enable it: 'setsebool -P httpd_can_network_connect on'. The -P flag makes it persistent across reboots. Booleans are the first stop before writing custom policy.

L3 (1 questions)

1. Describe the process of creating a custom SELinux policy module using audit2allow, including the critical safety step most people skip.

Show answer 1. Reproduce the denial in permissive mode.
2. 'ausearch -m AVC -ts recent | audit2allow -M myfix' generates myfix.te (human-readable) and myfix.pp (compiled module).
3. CRITICAL: read myfix.te before installing — audit2allow may grant far more than intended (e.g., allowing all file access instead of one specific path).
4. If the .te looks correct, install with 'semodule -i myfix.pp'. Never blindly pipe audit2allow output into policy.