Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes every weekday Monday through Friday.
This page was generated by The HPR Robot at

hpr4328 :: Use SELinux the easy way

You don't have to be an expert on SELinux to use it effectively

<< First, < Previous, , Latest >>

Hosted by Klaatu on Wednesday, 2025-03-05 is flagged as Clean and is released under a CC-BY-SA license.
linux, selinux, permissions. 2.

Listen in ogg, opus, or mp3 format. Play now:

Duration: 00:22:58
Download the transcription and subtitles.

general.

The most basic security toggle on your Linux computer is the 

setenforce
command. Using just a single 
setenforce
instruction, you can configure SELinux to allow a violation it would normally prevent. There are two states: Enabled and Permissive. By default, SELinux is 
Enabled
(also represented as 
1
when using Boolean values). To set SELinux to permissive mode:

$ sudo setenforce Permissive

When something works in Permissive mode, you've successfully identified the symptom, but you haven't fixed the problem yet. Activate Enforcing mode again:

$ sudo setenforce Enforcing

Check the status of SELinux

You can check the state of SELinux at any time using the 

sestatus
command:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
[...]

Look at labels and contexts

If you have a running Linux system, then you have an example of what SELinux requires for normal operation. You don't have to learn about security contexts or memorize labels. For most anything you try to do on your computer, there are likely already files doing something similar. Use those files as templates.

You can look at the security labels of any file you have access to by using the 

-Z
(that's a capital Z) option of 
ls
:

$ touch hellotouch hello.txt
$ ls -Z hello.txt
unconfined_u:object_r:user_home_t:s0 hello

An empty file created by a user in the user's own home directory has, as you might expect, a very specific security profile. Even with the executable bit set, that file would not be permitted to run as a systemwide service. It just doesn't have the correct security context.

If you use an 

ll
alias, try adding the 
-Z
option to its option list so you get used to seeing SELinux labels. The more you see what labels exist on your system, and how they relate to various system roles, you're more likely to recognize when they're wrong.

Copy contexts

Suppose you were developing a custom SELinux service for your laptop. You've written a shell script, a service file, and you've placed them in the appropriate system locations. You're also careful to set ownership and permissions correctly. But no matter what you do, you get errors when attempting to start the service.

You suspect that SELinux might be preventing an unrecognized service from running. That would normally be appreciated, but in this case you want to make an exception.

First, confirm that the service runs successfully with SELinux in Permissive mode:

$ sudo setenforce Permissive
$ sestatus | grep Current
Current mode:                 permissive
$ sudo systemctl start hello.service || echo "fail"
$
$ sudo setenforce Enforcing

Then look at the files you've created using the 

-Z
and compare them with other files that you know to be working properly. Note the differences:

$ ls -Z /usr/lib/systemd/system/hello.service
unconfined_u:object_r:systemd_unit_file_t:s0
$ ls -Z /usr/lib/systemd/system/rdisc.service
system_u:object_r:rdisc_unit_file_t:s0

The working service (

rdisc.service
in this example, chosen at random) features the 
system_u
label as well as a special 
rdisc_unit_file_t
label. Suppose you know from previous experience with 
ls -Z
that a common SELinux label for systemd service files is 
systemd_unit_file_t
so you ignore that difference. However, 
unconfined_u
and 
system_u
seem to be important.

Use the 

chcon
("change context") command to change the security context of your service file:

$ sudo chcon system_u:object_r:systemd_unit_file_t:s0 \
/usr/lib/systemd/system/hello.service
$ ls -Z /usr/lib/systemd/system/hello.service
system_u:object_r:systemd_unit_file_t:s0

Your systemd service is probably triggering some executable file on your system. If you created that yourself, it probably also has the incorrect security context. Comparing it to a known working script:

$ ls -Z /usr/bin/example.sh
unconfined_u:object_r:gconf_home_t:s0
$ ls -Z /usr/bin/brltty-prologue.sh
system_u:object_r:bin_t:s0

Again, there's one obvious difference, which you can correct with 

chcon
:

$ chcon system_u:object_r:bin_t:s0 \

/usr/bin/example.sh

Comments

Subscribe to the comments RSS feed.

Comment #1 posted on 2025-03-07 16:53:05 by lyunpaw@gmail.com

Time to brick the box.

Nice job Klaatu. Now I have to try it. You’ll have to do a follow up show titled, “How to regain access to your system after excessive enforcement with SELinux”. Good luck to the both of us.

Comment #2 posted on 2025-03-10 07:02:19 by Klaatu

This advice comes with no warranty

Thanks lyunpaw!

To paraphrase the GPL:

This advice is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of FITNESS FOR A PARTICULAR PURPOSE...

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Title:
Comment:
Anti Spam Question: What does the letter P in HPR stand for?