To configure SELinux on a Linux server, verify its status, select the correct mode (Enforcing, Permissive), and make permanent settings in \/etc\/selinux\/config. Then label files and ports with semanage, enable required booleans via setsebool -P, and troubleshoot AVC denials using ausearch, sealert, and audit2allow to refine policy safely.<\/p>\n\n\n\n
Learning how to configure SELinux on Linux server systems is essential for hardening production workloads in 2026. SELinux enforces mandatory access control to contain breaches, limit lateral movement, and reduce zero-day impact. This beginner-friendly guide<\/a> walks you through modes, policies, labeling, booleans, ports, and step-by-step troubleshooting\u2014backed by real-world hosting experience.<\/p>\n\n\n\n Security-Enhanced Linux (SELinux) is a kernel-level security framework that applies mandatory access control (MAC). Instead of relying only on traditional UNIX permissions, SELinux policies<\/a> define which processes (types) can access which resources (files, sockets, ports) and how. When configured correctly, it dramatically reduces the blast radius of exploits.<\/p>\n\n\n\n Key concepts you\u2019ll use frequently:<\/strong><\/p>\n\n\n\n SELinux ships by default on RHEL, Rocky Linux, AlmaLinux, CentOS Stream, and Fedora. Debian supports SELinux (optional) but Ubuntu uses AppArmor by default. Ensure these packages:<\/p>\n\n\n\n You need sudo\/root access. In production, schedule a maintenance window before switching modes.<\/p>\n\n\n\n First confirm whether SELinux is enabled and which policy is loaded.<\/p>\n\n\n\n getenforce prints Enforcing, Permissive, or Disabled. sestatus shows policy type (usually targeted) and mount points.<\/p>\n\n\n\n Use Permissive while testing, then switch to Enforcing once logs show no critical denials.<\/p>\n\n\n\n Avoid disabling SELinux in production. If you must relax rules for a specific domain, consider per-domain permissive mode instead.<\/p>\n\n\n\n Ensure you have the default targeted policy and admin tools installed.<\/p>\n\n\n\n Enable and start auditd to capture detailed AVC (Access Vector Cache) denials.<\/p>\n\n\n\n SELinux relies on file labels (contexts). Always prefer persistent labeling with semanage fcontext, then restorecon to apply. Avoid chcon except for quick tests.<\/p>\n\n\n\n Use httpd_sys_rw_content_t only for directories the web server must write to (uploads, cache), never for your entire document root.<\/p>\n\n\n\n If a service binds to a custom port, assign the proper SELinux port type with semanage port.<\/p>\n\n\n\n Common types include http_port_t (web), ssh_port_t (SSH), mysqld_port_t (MySQL\/MariaDB), and smtp_port_t (mail).<\/p>\n\n\n\n Booleans toggle optional permissions for services. Persist changes with -P so they survive reboots.<\/p>\n\n\n\n Search for service-specific booleans (e.g., for NFS, FTP, virtualization) and enable only what you need.<\/p>\n\n\n\n When SELinux blocks access, it logs an AVC denial. Use these tools to pinpoint root cause.<\/p>\n\n\n\n If you must permit a legitimate action not covered by policy, generate a minimal custom module. Review carefully before loading.<\/p>\n\n\n\n Prefer fixing labels, ports, and booleans first; policy modules are a last resort for well-understood, legitimate needs.<\/p>\n\n\n\n Instead of disabling SELinux globally, set only the troublesome domain to permissive while you investigate.<\/p>\n\n\n\n On SELinux-enabled hosts, mount volumes with proper labels. The :z option shares a label across containers; :Z gives a private label per container.<\/p>\n\n\n\nWhat Is SELinux and Why It Matters<\/strong><\/h2>\n\n\n\n
\n
Prerequisites and Supported Distributions (2026)<\/strong><\/h2>\n\n\n\n
\n
How to Configure SELinux on Linux Server (Step-by-Step Guide 2026)<\/strong><\/h2>\n\n\n\n
1) Check SELinux Status and Mode<\/strong><\/h3>\n\n\n\n
getenforce\nsestatus<\/code><\/pre>\n\n\n\n2) Switch Modes: Temporary vs. Permanent<\/strong><\/h3>\n\n\n\n
# Temporary (no reboot required)\nsudo setenforce 0 # Permissive\nsudo setenforce 1 # Enforcing\n\n# Permanent (persist across reboots)\nsudo sed -i 's\/^SELINUX=.*\/SELINUX=enforcing\/' \/etc\/selinux\/config\n# or set permissive permanently:\n# sudo sed -i 's\/^SELINUX=.*\/SELINUX=permissive\/' \/etc\/selinux\/config<\/code><\/pre>\n\n\n\n3) Confirm Policy and Install Tooling<\/strong><\/h3>\n\n\n\n
# RHEL\/Rocky\/Alma\/Fedora\nsudo dnf install -y policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted setools-console setroubleshoot-server audit\n\n# Debian\nsudo apt-get update\nsudo apt-get install -y selinux-basics selinux-policy-default policycoreutils setools setools-console auditd selinux-utils<\/code><\/pre>\n\n\n\nsudo systemctl enable --now auditd<\/code><\/pre>\n\n\n\n4) Label Files Correctly (Persistent vs. Temporary)<\/strong><\/h3>\n\n\n\n
# Example: Host a website from \/srv\/www\/myapp\n# 1) Persistently map path to an SELinux type\nsudo semanage fcontext -a -t httpd_sys_content_t \"\/srv\/www\/myapp(\/.*)?\"\n\n# 2) Apply the mapping to the filesystem\nsudo restorecon -Rv \/srv\/www\/myapp\n\n# Quick, temporary alternative (discouraged for long-term):\nsudo chcon -R -t httpd_sys_content_t \/srv\/www\/myapp<\/code><\/pre>\n\n\n\n5) Label Non-Standard Ports<\/strong><\/h3>\n\n\n\n
# NGINX\/Apache on TCP 8080\nsudo semanage port -a -t http_port_t -p tcp 8080\n# Verify\nsudo semanage port -l | grep http_port_t<\/code><\/pre>\n\n\n\n6) Enable Required SELinux Booleans<\/strong><\/h3>\n\n\n\n
# List httpd-related booleans\ngetsebool -a | grep httpd\n\n# Allow web apps to initiate network connections (APIs, Redis, etc.)\nsudo setsebool -P httpd_can_network_connect on\n\n# Allow serving user directories\nsudo setsebool -P httpd_enable_homedirs on\n\n# Allow sending mail from web apps\nsudo setsebool -P httpd_can_sendmail on<\/code><\/pre>\n\n\n\n7) Troubleshoot AVC Denials Like a Pro<\/strong><\/h3>\n\n\n\n
# Recent denials\nsudo ausearch -m AVC,USER_AVC -ts recent\n\n# Readable report (setroubleshoot)\nsudo sealert -a \/var\/log\/audit\/audit.log\n\n# Explain why it was denied\nsudo grep AVC \/var\/log\/audit\/audit.log | audit2why<\/code><\/pre>\n\n\n\n# Build a local policy module from recent denials\nsudo grep AVC \/var\/log\/audit\/audit.log | audit2allow -M mylocal\n\n# Load the module\nsudo semodule -i mylocal.pp\n\n# List installed modules\nsudo semodule -l<\/code><\/pre>\n\n\n\n8) Use Per-Domain Permissive Mode for Safer Testing<\/strong><\/h3>\n\n\n\n
# Make only httpd_t permissive (global mode remains Enforcing)\nsudo semanage permissive -a httpd_t\n\n# Revert later\nsudo semanage permissive -d httpd_t<\/code><\/pre>\n\n\n\nReal-World Examples (Web, Database, Containers)<\/strong><\/h2>\n\n\n\n
Example A: NGINX\/Apache on a Custom Document Root and Port<\/strong><\/h3>\n\n\n\n
# Custom docroot\nsudo semanage fcontext -a -t httpd_sys_content_t \"\/srv\/webapp\/public(\/.*)?\"\nsudo restorecon -Rv \/srv\/webapp\/public\n\n# Writable uploads directory\nsudo semanage fcontext -a -t httpd_sys_rw_content_t \"\/srv\/webapp\/public\/uploads(\/.*)?\"\nsudo restorecon -Rv \/srv\/webapp\/public\/uploads\n\n# Custom port 8080\nsudo semanage port -a -t http_port_t -p tcp 8080\n\n# Allow outbound API calls\nsudo setsebool -P httpd_can_network_connect on<\/code><\/pre>\n\n\n\nExample B: MariaDB Listening on a Non-Default Port<\/strong><\/h3>\n\n\n\n
# If MariaDB listens on 3307\nsudo semanage port -a -t mysqld_port_t -p tcp 3307\nsudo systemctl restart mariadb<\/code><\/pre>\n\n\n\nExample C: Containers with SELinux (Podman\/Docker)<\/strong><\/h3>\n\n\n\n
# Podman\/Docker with shared content label\npodman run -v \/srv\/data:\/data:z myimage\n\n# Private label per container\ndocker run -v \/srv\/data:\/data:Z myimage<\/code><\/pre>\n\n\n\n