Configure SELinux man pages

SELinux man pages for installed SELinux Policy are not installed by default on RHEL 7 and CentOS 7. You have to install necessary tools and generate the man pages yourself.

In this tutorial, I’ll take you through all the steps required to configure SELinux environment and adding man pages for easy reference and stress free SELinux troubleshooting.
For a freshly installed CentOS 7, you can have a look at: Top Things to do after fresh installation of CentOS 7.x minimal

Enabling SELinux

In case you want to check if your SELinux is running, type the command below on the terminal

[root@server1 ~]# getenforce 
 Enforcing

From the output above, you can see that my SELinux is running and enforcing all Policy rules. I’ve permanently setup selinux by editing /etc/selinux/config

[root@server1 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 # enforcing - SELinux security policy is enforced.
 # permissive - SELinux prints warnings instead of enforcing.
 # disabled - No SELinux policy is loaded.
 SELINUX=enforcing
 # SELINUXTYPE= can take one of three two values:
 # targeted - Targeted processes are protected,
 # minimum - Modification of targeted policy. Only selected processes are protected. 
 # mls - Multi Level Security protection.
 SELINUXTYPE=targeted

If you want to permanently enable SELinux without manually editing the file, just open your terminal window as root user and type command given below:

 [root@server1 ~]# sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config

You can enable automatic relabeling on next boot up by typing the command below:

[root@server1 ~]# touch /.autorelabel

Then reboot your system for the changes to be effective.

[root@server1 ~]# reboot

After successful reboot, check status of SELlinux and it should be running in an enforcing mode

[root@server1 ~]# getenforce 
 Enforcing

Installing necessary SELinux packages

Since SELinux is now able to enforce policy rules, lets install packages that will help us administer selinux efficiently.

1. Install setroubleshoot-server package.

– This package provides tools to help diagnose SELinux problems.
– When AVC messages are generated an alert can be generated that will give information about the problem and help track its resolution
– To install it, type the command below

[root@server1 ~]# yum install setroubleshoot-server -y

1. The policycoreutils-python package contains the management tools use to manage an SELinux environment.

– If you installed setroubleshoot-server, it installs policycoreutils-python as a dependency, hence you can skip this step if you installed setroubleshoot-server package.

[root@server1 ~]# yum install policycoreutils-python

1. Another package to install is policycoreutils-devel

– Policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
– This package helps us to generate selinux man pages
– You can have a look at what provides sepolicy which actually is SELinux man pages generating utility provided by policycoreutils-devel package.

[root@server1 ~]# yum provides */sepolicy
[root@server1 ~]# yum install policycoreutils-devel

Now that you have all the required packages. Let;s generate SELinux man pages.

Generating SELinux man pages

The command sepolicy manpage is used to generate a man page based on the installed SELinux Policy.
– The common options available are:
-a, –all

– Generate selinux man pages by typing:

[root@server1 ~]# sepolicy manpage -a -p /usr/share/man/man8/

From the options used above, we told sepolicy manpage to generate Man Pages for all domains and the path to store the man pages is /usr/share/man/man8/

After generating man pages, now it’s time to update the man page database so that we can make use of the man pages generated by sepolicy manpage command.

You can now update man pages database. we are going to use the command mandb, which is used to initialise or manually update index database caches that are usually maintained by man

[root@server1 ~]# mandb

If you now search for all selinux man pages, you’ll get a long list, try it yourself by typing the command below:

[root@server1 ~]# man -k _selinux

To strip down the search a little bit, pipe the output to grep command, look at the examples below
man -k _selinux | grep httpd > To search for selinux httpd related man pages
man -k _selinux | egrep ‘samba|smb’ > To search for samba related selinux man pages
man -k _selinux | egrep *nfs > To search for nfs daemon related selinux man pages

You’ve seen how easy it can be to get SELinux man page you want using grep.

[root@server1 ~]# man -k _selinux | grep httpd
 apache_selinux (8) - Security Enhanced Linux Policy for the httpd processes
 httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper processes
 httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd processes
 httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes
 httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelogs processes
 httpd_selinux (8) - Security Enhanced Linux Policy for the httpd processes
 httpd_suexec_selinux (8) - Security Enhanced Linux Policy for the httpd_suexec processes
 httpd_sys_script_selinux (8) - Security Enhanced Linux Policy for the httpd_sys_script processes
 httpd_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the httpd_unconfined_script processes
 httpd_user_script_selinux (8) - Security Enhanced Linux Policy for the httpd_user_script processes

That’s all for today. In our next article, we’ll look at how we can manage files and ports on a Linux system with SELinux running in enforcing mode. I hope this article was helpful and thank you for reading. If you encounter any problem or difficulty, let me know by dropping comment on the comment section.