How to use selinux on Centos 6.5

How to use selinux on your Redhat/CentOS server.

Check if selinux is enabled/disabled


Disable on the fly selinux

setenforce 0

Enable on-the-fly selinux

setenforce 1

Install utilities to be able to change selinux policies

yum install policycoreutils policycoreutils-python
yum install -y setroubleshoot

Check for selinux errors

cat /var/log/audit/audit.* /var/log/messages* | audit2allow

Create selinux rules based on what was found on logs

cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M mysemanage

Apply the rules on the system

sudo semodule -i mysemanage.pp

In case you run in to trouble and even after applying the pp file your app will still be blocked use the following commands

semodule -BD

After run again the command to generate the rules and apply the new rules and after run the below command

semodule -B


1) Disable selinux

setenforce 0

2) Run the app which is blocked be selinux, after check selinux logs with the command

cat /var/log/audit/audit.* /var/log/messages* | audit2allow

3) Build the rules with the command:

cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M myapprule

4) Apply the created rule:

sudo semodule -i myapprule.pp

5) Enable selinux

setenforce 1

6) Test your app

7) If the above steps doesn’t work then

echo 0 > /selinux/enforce

8) Clean selinux rules

semodule -BD

go back and do the steps 2,3,4,5 and 6. If your app works then run the command

semodule -B

After applying the new rule do not run the process again. You will most probably lose all the policies. In case you have a new feature which is blocked by selinux run the followings commands

cat /var/log/audit/audit.* /var/log/messages* | audit2allow

Find in the list which policy is blocked. Will look like this:

#!!!! This avc can be allowed using the boolean 'httpd_use_nfs' 
allow httpd_t nfs_t:dir write;

Check your selinux policy and you will see that httpd_use_nfs = off

getsebool -a | grep httpd

Enable the policy

setsebool -P httpd_use_nfs 1

Restore selinux context to a folder

restorecon -R -v /folder_name

To update an existing .te selinux policy follow the steps below

checkmodule -M -m -o mysemanage.mod mysemanage.te
semodule_package -m mysemanage.mod -o mysemanage.pp

The new created selinux policy can be applied

semodule -i mysemanage.pp

Thank you Radu for the help with semodule -BD