{"id":13752,"date":"2025-12-16T14:39:59","date_gmt":"2025-12-16T09:09:59","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=13752"},"modified":"2025-12-24T16:13:54","modified_gmt":"2025-12-24T10:43:54","slug":"optimize-selinux-on-linux","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/optimize-selinux-on-linux","title":{"rendered":"How to Optimize SELinux on Linux Server for Better Security"},"content":{"rendered":"\n<p>To optimize SELinux on Linux server, keep it in enforcing mode and remove friction by fixing labels, enabling the right booleans, and creating minimal, audited policy modules. Use tools like semanage, restorecon, setsebool, ausearch, sealert, and audit2allow to tune access precisely, reduce false denials, and maintain strong security with negligible performance impact.<\/p>\n\n\n\n<p>Optimizing SELinux on Linux server means tuning policy, labels, and booleans so applications work smoothly while SELinux continues to enforce strong mandatory access control. In this guide, you\u2019ll learn practical, step-by-step methods we use in production <a href=\"https:\/\/www.youstable.com\/blog\/create-a-custom-hosting-environment-with-a-dedicated-server\/\">hosting environments<\/a> to make SELinux secure, quiet, and fast\u2014without resorting to permissive or disabled mode.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"what-selinux-is-and-why-you-should-optimize-it\"><strong>What SELinux Is (And Why You Should Optimize It)<\/strong><\/h2>\n\n\n\n<p>SELinux (Security-Enhanced Linux) applies mandatory access control using type enforcement, roles, and levels. Every process and file has a label (context) like <code>httpd_t<\/code> or <code>httpd_sys_content_t<\/code>. Policies decide what can talk to what. Optimization is not about turning SELinux off; it\u2019s about aligning labels, booleans, and policy with your workload so denials stop and security stays intact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"quick-health-check-is-selinux-helping-or-hindering\"><strong>Quick Health Check: Is SELinux Helping Or Hindering?<\/strong><\/h2>\n\n\n\n<p>First, validate mode, denials, and policy. This shows where to tune without compromising protections.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Check mode and policy\ngetenforce\nsestatus\n\n# See recent AVC denials (RHEL\/CentOS\/Fedora)\nausearch -m avc -ts recent | aureport -a\njournalctl -t setroubleshoot -S -2h\n\n# Install helpful tools (RHEL\/Fedora)\ndnf install -y setroubleshoot setroubleshoot-server policycoreutils-python-utils\n\n# On Debian-based (AppArmor is default, but SELinux is available)\napt install selinux-basics selinux-policy-default auditd<\/code><\/pre>\n\n\n\n<p>If a specific service fails, do a scoped test instead of disabling SELinux globally:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Temporarily put only the service into permissive domain (safer than global)\nsemanage permissive -a httpd_t   # Example for Apache\n# Later revert\nsemanage permissive -d httpd_t<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"best-practice-baseline-for-production\"><strong>Best-Practice Baseline For Production<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run in enforcing mode with the default \u201ctargeted\u201d policy.<\/li>\n\n\n\n<li>Keep policy packages updated (security fixes and improved rules).<\/li>\n\n\n\n<li>Install setroubleshoot and auditd for readable diagnostics.<\/li>\n\n\n\n<li>Fix labels before writing new policy; policy last, not first.<\/li>\n\n\n\n<li>Use booleans rather than custom rules when available.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"tune-with-selinux-booleans-safest-first\"><strong>Tune With SELinux Booleans (Safest First)<\/strong><\/h2>\n\n\n\n<p>Booleans toggle common access patterns (e.g., letting <a href=\"https:\/\/www.youstable.com\/blog\/install-apache-web-server-in-linux\/\">web servers<\/a> make network calls). They are safe, documented, and persist with <code>-P<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># List booleans and current values\ngetsebool -a | grep httpd\n\n# Allow Apache\/NGINX to connect out (APIs, upstreams)\nsetsebool -P httpd_can_network_connect on\n\n# Allow web apps to talk to databases\nsetsebool -P httpd_can_network_connect_db on\n\n# Common virtualization and storage booleans\nsetsebool -P virt_use_nfs on\nsetsebool -P virt_use_samba on\n\n# DNS server writes master zones\nsetsebool -P named_write_master_zones on<\/code><\/pre>\n\n\n\n<p>Other frequently used booleans include <code>samba_export_all_rw<\/code>, <code>ftp_home_dir<\/code>, <code>ssh_sysadm_login<\/code>, and <code>mysql_connect_any<\/code>. Always check if a boolean already solves the denial before creating custom rules.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"correct-file-directory-and-port-labeling\"><strong>Correct File, Directory, And Port Labeling<\/strong><\/h2>\n\n\n\n<p>Most \u201cmystery\u201d denials are label mismatches. Ensure files and ports have the expected types for their services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"persistent-file-contexts\"><strong>Persistent File Contexts<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Example: custom web root for Apache\/NGINX\nsemanage fcontext -a -t httpd_sys_content_t \"\/srv\/www(\/.*)?\"\nrestorecon -Rv \/srv\/www\n\n# Writable app uploads\nsemanage fcontext -a -t httpd_sys_rw_content_t \"\/srv\/www\/uploads(\/.*)?\"\nrestorecon -Rv \/srv\/www\/uploads\n\n# Avoid chcon for long-term; use semanage + restorecon for persistence<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"custom-service-ports\"><strong>Custom Service Ports<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Allow web server on port 8080\nsemanage port -a -t http_port_t -p tcp 8080\n\n# PostgreSQL on 5433\nsemanage port -a -t postgresql_port_t -p tcp 5433<\/code><\/pre>\n\n\n\n<p>Never leave services bound to ports labeled <code>unreserved_port_t<\/code>; assign the right type so the policy knows which domain may connect.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"handle-avc-denials-efficiently-audit2allow-the-right-way\"><strong>Handle AVC Denials Efficiently (audit2allow The Right Way)<\/strong><\/h2>\n\n\n\n<p>AVC denials tell you what SELinux blocked. Read them, fix labels or booleans, and only then create minimal rules if needed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Human-readable reports\nsealert -a \/var\/log\/audit\/audit.log | less\n\n# Find denials for a service\nausearch -m avc -c httpd | aureport -a\n\n# Generate a minimal policy module from recent denials\nausearch -m avc -ts recent | audit2allow -M myapp_selinux\nsemodule -i myapp_selinux.pp<\/code><\/pre>\n\n\n\n<p>Review generated rules carefully. Overly broad allows (e.g., permitting <code>httpd_t<\/code> to read <code>var_t<\/code> everywhere) weaken your security. Prefer re-labeling files to <code>httpd_sys_content_t<\/code> or enabling a boolean rather than creating blanket allows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"systemd-temp-files-and-auto-relabeling\"><strong>Systemd, Temp Files, And Auto-Relabeling<\/strong><\/h2>\n\n\n\n<p>Some files are created at runtime. Use systemd and tmpfiles rules to preserve correct labels.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Ensure a directory is re-labeled before service starts\nExecStartPre=\/sbin\/restorecon -R \/var\/lib\/myapp\n\n# \/etc\/tmpfiles.d\/myapp.conf example (Z recurses, z does not)\n# Type Path                 Mode UID  GID  Age Argument\nd     \/var\/run\/myapp        0755 myapp myapp -\nZ     \/var\/run\/myapp        -    -    -    -<\/code><\/pre>\n\n\n\n<p>If labels are widely incorrect (filesystem moved, new policy), trigger a full relabel:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>touch \/.autorelabel\nreboot<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"containers-docker-podman-kubernetes-with-selinux\"><strong>Containers: Docker\/Podman\/Kubernetes With SELinux<\/strong><\/h2>\n\n\n\n<p>Containers use MCS labels to isolate workloads. Correct volume labels and installed <a href=\"https:\/\/www.youstable.com\/blog\/install-selinux-on-linux\/\">container SELinux policies<\/a> prevent noisy denials.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Install container policies (RHEL\/Fedora)\ndnf install -y container-selinux\n\n# Label shared host paths for containers\n# :Z gives a private label (exclusive), :z is shared (multiple containers)\npodman run -v \/data\/app:\/var\/www\/html:Z -d nginx\ndocker run -v \/data\/shared:\/shared:z -d busybox\n\n# Avoid --privileged or label=disable unless absolutely necessary<\/code><\/pre>\n\n\n\n<p>For Kubernetes (CRI-O\/Podman), keep SELinux enabled on hosts. Use persistent volumes with correct contexts (<code>container_file_t<\/code> or automatically assigned via :Z\/:z) to avoid permission issues.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"practical-tuning-examples\"><strong>Practical Tuning Examples<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"apache-nginx-serving-a-custom-docroot-with-uploads\"><strong>Apache\/NGINX Serving A Custom Docroot With Uploads<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Content and uploads\nsemanage fcontext -a -t httpd_sys_content_t \"\/srv\/www\/public(\/.*)?\"\nsemanage fcontext -a -t httpd_sys_rw_content_t \"\/srv\/www\/public\/uploads(\/.*)?\"\nrestorecon -Rv \/srv\/www\/public\n\n# Outbound API and DB connections\nsetsebool -P httpd_can_network_connect on\nsetsebool -P httpd_can_network_connect_db on<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"django-app-talking-to-postgresql-on-non-default-port\"><strong>Django App Talking To PostgreSQL On Non-Default Port<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Allow PostgreSQL on 5433\nsemanage port -a -t postgresql_port_t -p tcp 5433\n\n# If served by gunicorn under httpd_t (via mod_proxy)\nsetsebool -P httpd_can_network_connect on\n\n# Log any remaining denials and adjust labels\/policy minimally\nausearch -m avc -ts recent -c httpd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"mariadb-data-directory-moved\"><strong>MariaDB Data Directory Moved<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop mariadb\nsemanage fcontext -a -t mysqld_db_t \"\/data\/mysql(\/.*)?\"\nrestorecon -Rv \/data\/mysql\nsystemctl start mariadb<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"performance-considerations-selinux-overhead-in-practice\"><strong>Performance Considerations: SELinux Overhead In Practice<\/strong><\/h2>\n\n\n\n<p>Modern SELinux adds negligible overhead (typically sub-1% in web\/database workloads). Big slowdowns are usually mislabels causing retries or blocked I\/O. Measure before and after with realistic load tests:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Basic throughput check with and without specific policy changes\nwrk -t8 -c256 -d60s http:\/\/app\/\nperf stat -d -d -d -p $(pidof httpd) -- sleep 30\n\n# Count denials during the test\nausearch -m avc -ts recent | wc -l<\/code><\/pre>\n\n\n\n<p>If AVC counts drop after labeling and booleans, your \u201cperformance issue\u201d was policy friction, not SELinux overhead.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"hardening-and-automation-ansible-scap\"><strong>Hardening And Automation (Ansible, SCAP)<\/strong><\/h2>\n\n\n\n<p>Codify SELinux tuning to keep environments consistent across servers and rebuilds.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ansible: use modules like <code>seboolean<\/code>, <code>sefcontext<\/code>, and <code>selinux<\/code> to enforce booleans, file contexts, and modes.<\/li>\n\n\n\n<li>SCAP\/Compliance: apply profiles from <code>scap-security-guide<\/code> to check SELinux status and required booleans.<\/li>\n\n\n\n<li>CI\/CD: validate labels during deploys and run <code>restorecon<\/code> in hooks where apps create paths at runtime.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Example Ansible tasks\n- name: Ensure SELinux enforcing\n  ansible.posix.selinux:\n    policy: targeted\n    state: enforcing\n\n- name: Allow httpd outbound\n  ansible.posix.seboolean:\n    name: httpd_can_network_connect\n    state: true\n    persistent: true\n\n- name: Label uploads\n  community.general.sefcontext:\n    target: \"\/srv\/www\/public\/uploads(\/.*)?\"\n    setype: httpd_sys_rw_content_t\n    state: present<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"troubleshooting-checklist\"><strong>Troubleshooting Checklist<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm mode: <code>getenforce<\/code> should be Enforcing.<\/li>\n\n\n\n<li>Reproduce once, then check denials: <code>ausearch -m avc -ts recent<\/code>.<\/li>\n\n\n\n<li>Fix labels first: <code>semanage fcontext<\/code> + <code>restorecon<\/code>.<\/li>\n\n\n\n<li>Check booleans: <code>getsebool -a | grep &lt;service><\/code>.<\/li>\n\n\n\n<li>If still failing, generate a minimal module with <code>audit2allow<\/code>, review, and install with <code>semodule<\/code>.<\/li>\n\n\n\n<li>For runtime files, add tmpfiles.d or <code>ExecStartPre=restorecon<\/code>.<\/li>\n\n\n\n<li>For containers, use <code>:Z<\/code>\/<code>:z<\/code> on volumes and avoid <code>--privileged<\/code>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"common-mistakes-to-avoid\"><strong>Common Mistakes To Avoid<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disabling SELinux globally to \u201cfix\u201d app issues.<\/li>\n\n\n\n<li>Using <code>chcon<\/code> without <code>semanage fcontext<\/code> (labels vanish on relabel).<\/li>\n\n\n\n<li>Allowing broad rules via <code>audit2allow<\/code> instead of correcting labels.<\/li>\n\n\n\n<li>Ignoring booleans that already solve the problem.<\/li>\n\n\n\n<li>Mounting container volumes without proper <code>:Z<\/code>\/<code>:z<\/code> labels.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"when-to-get-help\"><strong>When To Get Help<\/strong><\/h2>\n\n\n\n<p>If you run revenue-critical workloads or don\u2019t have in-house SELinux expertise, a managed approach saves time and risk. At YouStable, our managed servers ship with SELinux in enforcing mode, tuned for common stacks (LAMP\/LEMP, Node.js, containers). We troubleshoot AVCs, write minimal policy modules, and bake changes into your automation so they survive updates.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" class=\"wp-block-heading\" id=\"faqs-optimize-selinux-on-linux\"><strong>FAQs: Optimize SELinux on Linux <\/strong><\/h2>\n\n\n\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"is-selinux-slowing-down-my-server\">Is SELinux slowing down my server?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>In modern kernels and policies, SELinux overhead is typically under 1% for web and database workloads. Perceived slowness usually comes from mislabeling and repeated denials. Fix labels and booleans, then benchmark again. Use <code>ausearch -m avc<\/code> to confirm denials drop during load tests.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"should-i-use-enforcing-permissive-or-disabled\">Should I use Enforcing, Permissive, or Disabled?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Use Enforcing in production. Permissive is for short, targeted troubleshooting (or making a specific domain permissive). Avoid Disabled; it removes a powerful security layer and makes future re-enablement painful due to unlabeled files and untested policies.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"how-do-i-let-apache-nginx-connect-to-a-remote-database\">How do I let Apache\/NGINX connect to a remote database?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Enable the appropriate booleans and ensure port labeling is correct. For example: <code>setsebool -P httpd_can_network_connect on<\/code> and <code>setsebool -P httpd_can_network_connect_db on<\/code>. If the DB listens on a non-default port, set its type with <code>semanage port<\/code>.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"i-set-777-permissions-but-still-get-permission-denied-why\">I set 777 permissions, but still get \u201cPermission denied.\u201d Why?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>UNIX permissions can allow access while SELinux still denies it due to wrong labels. Check the context with <code>ls -Z<\/code>. Fix it using <code>semanage fcontext<\/code> and <code>restorecon<\/code> so the path has the correct SELinux type for the service domain.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section\t\thelp class=\"sc_fs_faq sc_card    \"\n\t\t\t\t>\n\t\t\t\t<h3 id=\"how-do-i-reset-all-selinux-labels-to-default\">How do I reset all SELinux labels to default?<\/h3>\t\t\t\t<div>\n\t\t\t\t\t\t<div class=\"sc_fs_faq__content\">\n\t\t\t\t\n\n<p>Create <code>\/.autorelabel<\/code> and reboot. The system will relabel according to current policy. For specific paths, use <code>restorecon -Rv &lt;path><\/code>. Ensure the right rules exist with <code>semanage fcontext<\/code> so your labels persist after relabeling.<\/p>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<\/section>\n\t\t\n<script type=\"application\/ld+json\">\n\t{\n\t\t\"@context\": \"https:\/\/schema.org\",\n\t\t\"@type\": \"FAQPage\",\n\t\t\"mainEntity\": [\n\t\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Is SELinux slowing down my server?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>In modern kernels and policies, SELinux overhead is typically under 1% for web and database workloads. Perceived slowness usually comes from mislabeling and repeated denials. Fix labels and booleans, then benchmark again. Use ausearch -m avc to confirm denials drop during load tests.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"Should I use Enforcing, Permissive, or Disabled?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Use Enforcing in production. Permissive is for short, targeted troubleshooting (or making a specific domain permissive). Avoid Disabled; it removes a powerful security layer and makes future re-enablement painful due to unlabeled files and untested policies.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"How do I let Apache\/NGINX connect to a remote database?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Enable the appropriate booleans and ensure port labeling is correct. For example: setsebool -P httpd_can_network_connect on and setsebool -P httpd_can_network_connect_db on. If the DB listens on a non-default port, set its type with semanage port.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"I set 777 permissions, but still get \u201cPermission denied.\u201d Why?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>UNIX permissions can allow access while SELinux still denies it due to wrong labels. Check the context with ls -Z. Fix it using semanage fcontext and restorecon so the path has the correct SELinux type for the service domain.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t,\t\t\t\t{\n\t\t\t\t\"@type\": \"Question\",\n\t\t\t\t\"name\": \"How do I reset all SELinux labels to default?\",\n\t\t\t\t\"acceptedAnswer\": {\n\t\t\t\t\t\"@type\": \"Answer\",\n\t\t\t\t\t\"text\": \"<p>Create \/.autorelabel and reboot. The system will relabel according to current policy. For specific paths, use restorecon -Rv &lt;path>. Ensure the right rules exist with semanage fcontext so your labels persist after relabeling.<\/p>\"\n\t\t\t\t\t\t\t\t\t}\n\t\t\t}\n\t\t\t\t\t\t]\n\t}\n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>To optimize SELinux on Linux server, keep it in enforcing mode and remove friction by fixing labels, enabling the right [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":14078,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[2141,2167],"class_list":["post-13752","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase","tag-linux-server","tag-optimize-selinux-on-linux"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Optimize-SELinux-on-Linux-Server.jpg","author_info":{"display_name":"Prahlad Prajapati","author_link":"https:\/\/www.youstable.com\/blog\/author\/prahladblog"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=13752"}],"version-history":[{"count":2,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13752\/revisions"}],"predecessor-version":[{"id":14106,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13752\/revisions\/14106"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/14078"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=13752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=13752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=13752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}