Jump to: navigation, search

SELinux Tools

Many standard tools on openSUSE support selinux labels and displaying them. The convention is that an extra argument of `-Z` will show you selinux label/type information.

Common examples are:

   # ls -alZ
   total 20
   drwx------. 1 admin admin system_u:object_r:user_home_dir_t:s0  128 Jun 22 18:32 .
   dr-xr-xr-x. 1 root  root  system_u:object_r:home_root_t:s0       10 Jun 22 18:32 ..
   -rw-------. 1 admin admin system_u:object_r:user_home_t:s0        8 Jun 22 19:16 .bash_history
   -rw-r--r--. 1 admin admin system_u:object_r:user_home_t:s0      604 Jun 15 04:50 .bashrc
   # ps auxZ
   LABEL                           USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1232 200  0.1 8360 3584 pts/0 R+ 16:43   0:00 ps auxZ

In addition SELinux has a number of dedicated tools to view denials (when a type is denied access to another type), create policy and to enable or disable policy selectively.

You can ensure these tools are installed with `zypper in policycoreutils setools-console`


ausearch is the audit search tool. This allows you to query audit logs to display denials that match certain conditions. This may hint to actions you can take to resolve the issue.

To show all denials since boot

   ausearch -ts boot -m avc

To show denials from a timestamp. If the current time was 16:20:00 then we could show the list 5 minutes with:

   ausearch -ts 16:15:00 -m avc


`semanage` allows changing some elements of the current policy on a running system. Some common uses are:

List all available policy boolean tunables. Turning some of these "on" may resolve some issues you have without needing to resort to disabling selinux

   semanage boolean -l

List all types / processes that have been put into permissive mode. Rather than disable policy for the whole system, individual types/processes can be made permissive temporarily for analysis.

   semanage permissive -l
   # put a single type into permissive mode
   semanage permissive -a type
   semanage permissive -a httpd_t
   # remove that type from permissive mode to enforcing
   semanage permissive -d type
   semanage permissive -d httpd_t


semodule allows dynamic changes and loading of selinux policy modules. This also has a useful feature to allow auditing of some types that otherwise are invisible. By default a number of rules that "may be hit" commonly are marked as dontaudit to prevent them cluttering logs. However, sometimes these don't audit rules are important to understand an issue.

To disable dont audit rules and have them emit messages to the audit log.

   semodule -DB

To re-enable don't audit rules so that they enforce rules silently

   semodule -B