{"id":9709,"date":"2025-02-26T01:02:00","date_gmt":"2025-02-26T06:02:00","guid":{"rendered":"https:\/\/www.both.org\/?p=9709"},"modified":"2025-02-21T13:37:57","modified_gmt":"2025-02-21T18:37:57","slug":"fix-selinux-problems-with-this-little-known-option","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=9709","title":{"rendered":"Fix SELinux problems with this little-known option"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

SELinux is a security subsystem that works to prevent files and code from running from places they don’t belong. It’s a big complex system that’s integrated into the very kernel, and it has governance over every file on your computer. Fortunately, you can benefit from SELinux and even interact with it without understanding how or why it works. Here’s how I manage SELinux on my system.<\/p>\n\n\n\n

Understand enforcement<\/h2>\n\n\n\n

The most basic security toggle on your Linux computer is the setenforce<\/code> command. Using just a single setenforce<\/code> instruction, you can configure SELinux to allow a violation it would normally prevent. There are two states: Enabled and Permissive. By default, SELinux is Enabled<\/code> (also represented as 1<\/code> when using Boolean values). To set SELinux to permissive mode:<\/p>\n\n\n\n

$ sudo setenforce Permissive<\/code><\/pre>\n\n\n\n
Try that the next time you’re working on something at the system-level, using root or sudo<\/code> permissions, and it doesn’t work.<\/p>\n\n\n\n
When something works in Permissive mode, you’ve successfully identified the symptom, but you haven’t fixed the problem yet. Activate Enforcing mode again:<\/p>\n\n\n\n
$ sudo setenforce Enforcing<\/code><\/pre>\n\n\n\n
Check the status of SELinux<\/h2>\n\n\n\n
You can check the state of SELinux at any time using the sestatus<\/code> command:<\/p>\n\n\n\n
$ sestatus\nSELinux status:                 enabled\nSELinuxfs mount:                \/sys\/fs\/selinux\nSELinux root directory:         \/etc\/selinux\nLoaded policy name:             targeted\nCurrent mode:                   enforcing\n[...]<\/code><\/pre>\n\n\n\n
Look at labels and contexts<\/h2>\n\n\n\n
If you have a running Linux system, then you have an example of what SELinux requires for normal operation. You don’t have to learn about security contexts or memorize labels. For most anything you try to do on your computer, there are likely already files doing something similar. Use those files as templates.<\/p>\n\n\n\n
You can look at the security labels of any file you have access to by using the -Z<\/code> (that’s a capital Z) option of ls<\/code>:<\/p>\n\n\n\n
$ touch hello\n$ ls -Z hello \nunconfined_u:object_r:user_home_t:s0 hello<\/code><\/pre>\n\n\n\n
An empty file created by a user in the user’s own home directory has, as you might expect, a very specific security profile. Even with the executable bit set, that file would not be permitted to run as a systemwide service. It just doesn’t have the correct security context.<\/p>\n\n\n\n
If you use an ll<\/code> alias, try adding the -Z<\/code> option to its option list so you get used to seeing SELinux labels. The more you see what labels exist on your system, and how they relate to various system roles, you’re more likely to recognize when they’re wrong.<\/p>\n\n\n\n
Copy contexts<\/h2>\n\n\n\n
Suppose you were developing a custom SELinux service for your laptop. You’ve written a shell script, a service file, and you’ve placed them in the appropriate system locations. You’re also careful to set ownership and permissions correctly. But no matter what you do, you get errors when attempting to start the service.<\/p>\n\n\n\n
You suspect that SELinux might be preventing an unrecognized service from running. That would normally be appreciated, but in this case you want to make an exception.<\/p>\n\n\n\n
First, confirm that the service runs successfully with SELinux in Permissive mode:<\/p>\n\n\n\n
$ sudo setenforce Permissive\n$ sestatus | grep Current\nCurrent mode:                 permissive\n$ sudo systemctl start hello.service || echo \"fail\"\n$ \n$ sudo setenforce Enforcing<\/code><\/pre>\n\n\n\n
Then look at the files you’ve created using the -Z<\/code> and compare them with other files that you know to be working properly. Note the differences:<\/p>\n\n\n\n
$ ls -Z \/usr\/lib\/systemd\/system\/hello.service \nunconfined_u:object_r:systemd_unit_file_t:s0\n$ ls -Z \/usr\/lib\/systemd\/system\/rdisc.service \nsystem_u:object_r:rdisc_unit_file_t:s0<\/code><\/pre>\n\n\n\n
The working service (rdisc.service<\/code> in this example, chosen at random) features the system_u<\/code> label as well as a special rdisc_unit_file_t<\/code> label. Suppose you know from previous experience with ls -Z<\/code> that a common SELinux label for systemd service files is systemd_unit_file_t<\/code> so you ignore that difference. However, unconfined_u<\/code> and system_u<\/code> seem to be important.<\/p>\n\n\n\n
Use the chcon<\/code> (“change context”) command to change the security context of your service file:<\/p>\n\n\n\n
$ sudo chcon system_u:object_r:systemd_unit_file_t:s0 \\\n\/usr\/lib\/systemd\/system\/hello.service \n\n$ ls -Z \/usr\/lib\/systemd\/system\/hello.service \nsystem_u:object_r:systemd_unit_file_t:s0<\/code><\/pre>\n\n\n\n
Your systemd service is probably triggering some executable file on your system. If you created that yourself, it probably also has the incorrect security context. Comparing it to a known working script:<\/p>\n\n\n\n
$ ls -Z \/usr\/bin\/example.sh \nunconfined_u:object_r:gconf_home_t:s0\n$ ls -Z \/usr\/bin\/brltty-prologue.sh\nsystem_u:object_r:bin_t:s0<\/code><\/pre>\n\n\n\n
Again, there’s one obvious difference, which you can correct with chcon<\/code>:<\/p>\n\n\n\n
$ chcon system_u:object_r:bin_t:s0 \\\n\/usr\/bin\/example.sh <\/code><\/pre>\n\n\n\n
Remember the foundations of Linux<\/h2>\n\n\n\n
By accident or by design, one of the foundational principles of Linux is that you can learn Linux by exploring your Linux system. This holds true whether you’re reading source code, reading FAQs buried in a documentation folder, or just compulsively looking at security labels. After you get to know what Linux looks like when it’s working, it’s easy to spot problems when something’s not working. Use the -Z<\/code> option with ls<\/code> or ll<\/code>, and start getting used to what SELinux expects. The next time something fails and you suspect SELinux, think of files that fill a similar role to what you’re trying to do, and check you work.<\/p>\n","protected":false},"excerpt":{"rendered":"
SELinux is a security subsystem that works to prevent files and code from running from places they don’t<\/p>\n","protected":false},"author":31,"featured_media":2700,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,75],"tags":[722],"class_list":["post-9709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-security","tag-selinux"],"modified_by":"Seth Kenlon","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/9709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9709"}],"version-history":[{"count":3,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/9709\/revisions"}],"predecessor-version":[{"id":9730,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/9709\/revisions\/9730"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/2700"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}