Oracle Linux Basic Administration Series - Part 13 - How to Set Up and Manage SELinux for Security in Oracle Linux

Jason Beattie
19 hours ago
2 min read

SELinux is an additional security layer built into Oracle Linux.It enforces access control policies that limit what processes can do, even if an attacker gains access to your system.

While firewalld controls network access, SELinux controls system-level access between users, files, and applications.

In this blog, you’ll learn how to:

Understand SELinux concepts and modes
Check SELinux status
Change and manage modes
Work with contexts and troubleshoot access issues

Step 1: Check SELinux Status

To check whether SELinux is enabled and what mode it’s running in:

sestatus

Step 2: Understanding SELinux Modes

SELinux can operate in three modes:

Mode	Description
Enforcing	SELinux policies are active and enforced (recommended for production)
Permissive	Policies are not enforced but violations are logged
Disabled	SELinux is turned off

Step 3: Temporarily Change the SELinux Mode

You can switch modes without rebooting (until the next restart).

Set to permissive mode (for troubleshooting):

sudo setenforce 0

Set back to enforcing:

sudo setenforce 1

Verify:

getenforce

Step 4: Permanently Change SELinux Mode

Edit the configuration file:

sudo vi /etc/selinux/config

Look for the line:

SELINUX=enforcing

Change it to:

SELINUX=permissive

SELINUX=disabled

Save and reboot for the change to take effect:

sudo reboot

Step 5: Understanding SELinux Contexts

Every file, process, and port has a security context, which SELinux uses to decide what is allowed.

View a file’s SELinux context:

ls -Z /var/

Step 6: Adjust File Contexts

If you move files into a directory manually (e.g., a web root), SELinux might block access.To fix this, apply the correct context.

Restore the default context:

sudo restorecon -Rv /var/

Change the context type manually:

sudo semanage fcontext -a -t httpd_sys_content_t "/var(/.*)?"
sudo restorecon -Rv /var/

Step 7: Manage Port Access

To view which ports SELinux allows for a service:

sudo semanage port -l | grep http

To add a new allowed port (e.g., 8081 for HTTP):

sudo semanage port -a -t http_port_t -p tcp 8081

Step 8: View and Analyze SELinux Denials

When SELinux blocks an action, it logs it in:

/var/log/audit/audit.log

View recent denials:

sudo cat /var/log/audit/audit.log | grep denied | tail

To analyze denials automatically:

sudo ausearch -m avc -ts recent

Conclusion

You’ve learned how to configure, manage, and troubleshoot SELinux on Oracle Linux.SELinux is a powerful tool that enforces least-privilege access - one of the strongest security controls available on Linux.

In the next post, we’ll learn how to manage system logs using journalctl and rsyslog, thhis is a key skill for monitoring and troubleshooting your systems.