Selinux policies

When system starts the policies are loaded into memory

Disclaimer

Don’t write your own policies for the apps.

Use Containers!

If they fail, use a tool like udica to label them.

If you absolutely have to, then clone context from the existing app, like Nginx.

Guide to write a policy

List modules

semodule -l

Semanage

listing the predefained policies

semange port  -l

Changing the context

first tell selinux what should be the defult value
*Then change it with restorecon**

Not standard ports

Sel has policies for the standard port

To change the policy to something different

range can be specyfied via -

semange -a -t  http_port_t -p tcp 444-333

-mis to modyfie already existing policy

-d to delete

-t type

-a add

U can check for only your customization wiht -lC

$ semanage port -lC

-------------------------------------------------------
SELinux Port Type              Proto    Port Number

grafana_port_t                 tcp      3000
[root@localhost Notes]# [

Permissive policies

semange permissive -l

Booleans

It’s when u have to enable a option in the policy thats prevented by default Docks

Set the boolen yourself

sudo semanage boolean -m -on http_allow_homedirs

Check boolens set by users

semanage boolean -l -C

List of set boolens by user is stored in (old verisons)

/etc/selinux/targeted/modules/activeactive

Tip

Install setroubleshoot-server to deal with the message

[Selinux MAIN]({{\< ref “posts/SELinux.md”>}}) [Selinux Containers]({{\< ref “posts/redhat/selinux_containers.md”>}})