🚧Linux SELinux Labs

🚧 Under Construction!!

🎯 Objective

Learn how SELinux works, how to manage policies, and how to troubleshoot denials using native Linux systems.

🧰 Prerequisites

Linux system with SELinux enabled (e.g., Fedora, RHEL, CentOS, Rocky Linux)
Root or sudo access
Basic Linux command-line knowledge

🛠️ Confirm SELinux is enabled

sestatus

✅ Expected Output:

SELinux status:                 enabled
Current mode:                   enforcing

🔹 Lab 1: View SELinux Contexts

1.1 Check the context of files and processes

ls -Z /etc/passwd
ps -eZ | grep sshd

✅ Expected: SELinux contexts like system_u:object_r:etc_t:s0.

🔹 Lab 2: Switch to Permissive Mode

2.1 Temporarily set SELinux to permissive

sudo setenforce 0
getenforce

✅ SELinux logs denials but does not block access.

2.2 Set it back to enforcing

sudo setenforce 1
getenforce

🔹 Lab 3: Create a Policy Violation and Examine Logs

3.1 Create a file and change its context

echo "secret" > /tmp/secret.txt
sudo chcon -t httpd_sys_content_t /tmp/secret.txt
ls -Z /tmp/secret.txt

3.2 View denials (from a non-httpd process context)

sudo ausearch -m AVC,USER_AVC -ts recent

✅ SELinux should block improper access attempts.

🔹 Lab 4: Restore Default SELinux Contexts

4.1 Reset file label using `restorecon`

sudo restorecon -v /tmp/secret.txt

✅ Expected: File context is restored to default.

🔹 Lab 5: View and Use Boolean Flags

5.1 List SELinux booleans

getsebool -a | grep ftp

5.2 Enable boolean for FTP access

sudo setsebool -P ftp_home_dir 1
getsebool ftp_home_dir

✅ Allows FTP daemons to access user home directories.

🔹 Lab 6: Analyze and Troubleshoot SELinux Denials

6.1 Analyze recent denials

sudo ausearch -m AVC -ts recent | audit2why

✅ Expected: Explanation of SELinux blocks.

6.2 Create and apply a custom policy (optional)

sudo ausearch -m AVC -ts recent | audit2allow -M mypol
sudo semodule -i mypol.pp

✅ Creates and loads a custom module to allow specific actions.

✅ Wrap-Up

You viewed SELinux labels and processes.
You worked with permissive and enforcing modes.
You restored contexts and managed booleans.
You analyzed and handled policy violations with custom rules.

PreviousLinux AppArmor Labs NextLinux Seccomp Labs

Last updated 10 months ago

hashtag🎯 Objective

hashtag🧰 Prerequisites

hashtag🛠️ Confirm SELinux is enabled

hashtag🔹 Lab 1: View SELinux Contexts

hashtag1.1 Check the context of files and processes

hashtag🔹 Lab 2: Switch to Permissive Mode

hashtag2.1 Temporarily set SELinux to permissive

hashtag2.2 Set it back to enforcing

hashtag🔹 Lab 3: Create a Policy Violation and Examine Logs

hashtag3.1 Create a file and change its context

hashtag3.2 View denials (from a non-httpd process context)

hashtag🔹 Lab 4: Restore Default SELinux Contexts

hashtag4.1 Reset file label using restorecon

hashtag🔹 Lab 5: View and Use Boolean Flags

hashtag5.1 List SELinux booleans

hashtag5.2 Enable boolean for FTP access

hashtag🔹 Lab 6: Analyze and Troubleshoot SELinux Denials

hashtag6.1 Analyze recent denials

hashtag6.2 Create and apply a custom policy (optional)

hashtag✅ Wrap-Up