Managing SELinux on RHEL 8

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

Security Enhanced Linux (SELinux), is an additional layer of system security, that enhances the other security mechanisms in RHEL 8. In this hands-on lab, we will examine SELinux at a high level, will set and check enforcing and permissive modes for SELinux, list and identify SELinux file and process context, restore default file contexts, use boolean settings to modify system SELinux settings, and diagnose and address routine SELinux policy violations on RHEL 8.

*This course is not approved or sponsored by Red Hat.*

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Diagnose a Reported Apache Server Issue
  1. Discover an Apache Server access issue.
  2. Attempt to start Apache and view status.
  3. Query the system journal for errors and issues.
  4. Test if the issue is SELinux-related.
Troubleshoot Possible SELinux Errors Affecting Apache
  1. Re-enable SELinux and check the status.
  2. Investigate audit and other logs for errors.
  3. Discover the issue is related to the non-standard port.
Create and Apply a Local Policy Module to Fix the Apache Issue
  1. Use ausearch and audit2allow to generate a local policy module.
  2. Investigate the generated policy module files.
  3. Apply the policy module.
  4. Test apache access.
Clean Up any Additional SELinux-related Issues
  1. Check the logs again for errors.
  2. Find getattr issues for httpd files.
  3. Set context for the affected files.
  4. Test for any additional errors.

Additional Resources

In this lab, you have already set up an Apache Server for use by a group in your organization, who is using a non-standard port to access Apache for a graphical application. The group reports they are having errors, and can't connect to the server, so you have to go find out what has happened and fix the issue.

You'll diagnose the Apache server issues by investigating the log files, attempting to restart the httpd service, and using the explanations feature of journalctl to get more information.

Suspecting that the issue lies in how SELinux is configured, you'll then temporarily disable SELinux, retry the Apache troubleshooting and realize it's time to create local policy module that allows the non-standard use of Apache.

After generating the local policy module and applying it, you will test for Apache functionality again and after being successful, you'll become aware that there may be some additional issues that resulted from the "fix" you applied.

You'll look further into the logs, find, and fix a SELinux context issue, and finally have clean logs and messages.

Red Hat Exam Requirements Covered:

  • Set enforcing and permissive modes for SELinux
  • List and identify SELinux file and process context
  • Restore default file contexts
  • Use boolean settings to modify system SELinux settings
  • Diagnose and address routine SELinux policy violations

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?