Examples -------- #### Quick command list ls -laZd /webcontent/ semanage fcontext -l | grep httpd_sys_content_t semanage fcontext -a -t httpd_sys_content_t '/webcontent(/.*)?' semanage fcontext -d -t httpd_sys_content_t '/webcontent(/.*)?' restorecon -vvFR /webcontent/ chcon -t httpd_sys_content_t /webcontent/ semanage port -a -t http_port_t -p tcp 8001 semanage port -l | grep http semanage boolean -l | egrep "(^SELinux|http.*cgi)" getsebool httpd_enable_cgi setsebool -P httpd_enable_cgi=off setsebool httpd_enable_cgi=off #### List all ports related to http in default policy [root@localhost ~]# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 #### Add a label to a port unsuccessfully and successfully # Port is already under a different label [root@localhost ~]# semanage port -a -t http_port_t -p tcp 8000 ValueError: Port tcp/8000 already defined [root@localhost ~]# semanage port -l | grep 8000 soundd_port_t tcp 8000, 9433, 16001 # Let's try 8001 [root@localhost ~]# semanage port -a -t http_port_t -p tcp 8001 # Success, httpd can now listen on port 8001 [root@localhost ~]# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 8001, 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 #### List all locations with http_sys_content_t label in default policy # The default policy allows httpd to serve content from any of these locations # Note that some of the entries have regular expressions in them [root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t /etc/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/doc/ghc/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/drupal.* all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/glpi(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/icecast(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/ntop/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/openca/htdocs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/selinux-policy[^/]*/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/z-push(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/cacti/rra(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/svn/conf(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 #### Add a new location from where httpd can serve content # Write new entry into default policy [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/webcontent(/.*)?' [root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t /etc/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/doc/ghc/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/drupal.* all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/glpi(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/icecast(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/ntop/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/openca/htdocs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/selinux-policy[^/]*/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/z-push(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/cacti/rra(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/svn/conf(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /webcontent(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 # The directory doesn't outomaticlaly get the label when it is created [root@localhost ~]# mkdir /webcontent [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /webcontent/ # Apply the default policy to /webcontent to apply the label [root@localhost ~]# restorecon -vvFR /webcontent/ restorecon reset /webcontent context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/ #### Removing rules from the policy # Delete the default policy for /webcontent [root@localhost ~]# semanage fcontext -d -t httpd_sys_content_t '/webcontent(/.*)?' [root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t /etc/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/doc/ghc/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/drupal.* all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/glpi(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/icecast(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/ntop/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/openca/htdocs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/selinux-policy[^/]*/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/z-push(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/cacti/rra(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/svn/conf(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 # Rule is gone from policy, but /webcontent still has its label until policy is applied [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/ [root@localhost ~]# restorecon -vvFR /webcontent/ restorecon reset /webcontent context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:default_t:s0 /webcontent/ #### Changing current label with chcon [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:default_t:s0 /webcontent/ # Manually give label to /webcontent [root@localhost ~]# chcon -t httpd_sys_content_t /webcontent/ [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/ # chcon didn't change the default policy [root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t /etc/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/doc/ghc/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/drupal.* all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/glpi(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/icecast(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/ntop/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/openca/htdocs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/selinux-policy[^/]*/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /usr/share/z-push(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/cacti/rra(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/svn/conf(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 # Re-applying the default policy, removes the label [root@localhost ~]# restorecon -vvFR /webcontent/ restorecon reset /webcontent context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 [root@localhost ~]# ls -laZd /webcontent/ drwxr-xr-x. root root system_u:object_r:default_t:s0 /webcontent/ #### Working with booleans, current vs. default values # There is a boolean that allows CGI, on top of configuration settings for httpd # Default policy and current value are both 'on' [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (on , on) Allow httpd to enable cgi # getsebool only shows one value, the current state, not default policy [root@localhost ~]# getsebool httpd_enable_cgi httpd_enable_cgi --> on # setsebool command normally only affects the current state [root@localhost ~]# setsebool httpd_enable_cgi=off [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (off , on) Allow httpd to enable cgi [root@localhost ~]# getsebool httpd_enable_cgi httpd_enable_cgi --> off # Use -P to change default state [root@localhost ~]# setsebool -P httpd_enable_cgi=off [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (off , off) Allow httpd to enable cgi [root@localhost ~]# getsebool httpd_enable_cgi httpd_enable_cgi --> off # Even if default policy is for it to be off, you can still set current state to 'on' [root@localhost ~]# setsebool httpd_enable_cgi=on [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (on , off) Allow httpd to enable cgi [root@localhost ~]# getsebool httpd_enable_cgi httpd_enable_cgi --> on # Changing the default policy will change the current state as well [root@localhost ~]# setsebool -P httpd_enable_cgi=on [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (on , on) Allow httpd to enable cgi [root@localhost ~]# setsebool -P httpd_enable_cgi=off [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (off , off) Allow httpd to enable cgi [root@localhost ~]# setsebool -P httpd_enable_cgi=on [root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)" SELinux boolean State Default Description httpd_enable_cgi (on , on) Allow httpd to enable cgi