SELinux man pages for installed SELinux Policy are not installed by default on RHEL 7 and CentOS 7. You have to install necessary tools and generate the man pages yourself.
In this tutorial, I’ll take you through all the steps required to configure SELinux environment and adding man pages for easy reference and stress free SELinux troubleshooting.
For a freshly installed CentOS 7, you can have a look at: Top Things to do after fresh installation of CentOS 7
How To Enable SELinux on Linux
In case you want to check if your SELinux is running, type the command below on the terminal
[root@server1 ~]# getenforce 
 EnforcingFrom the output above, you can see that my SELinux is running and enforcing all Policy rules. I’ve permanently setup selinux by editing /etc/selinux/config
[root@server1 ~]# sudo vim /etc/selinux/config
# This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 # enforcing - SELinux security policy is enforced.
 # permissive - SELinux prints warnings instead of enforcing.
 # disabled - No SELinux policy is loaded.
 SELINUX=enforcing
 # SELINUXTYPE= can take one of three two values:
 # targeted - Targeted processes are protected,
 # minimum - Modification of targeted policy. Only selected processes are protected. 
 # mls - Multi Level Security protection.
 SELINUXTYPE=targetedIf you want to permanently enable SELinux without manually editing the file, just open your terminal window as root user and type command given below:
sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
You can enable automatic relabeling on next boot up by typing the command below:
sudo touch /.autorelabelThen reboot your system for the changes to be effective.
sudo rebootAfter successful reboot, check status of SELinux and it should be running in an enforcing mode:
[root@server1 ~]# getenforce
EnforcingInstalling necessary SELinux packages
Since SELinux is now able to enforce policy rules, lets install packages that will help us administer selinux efficiently.
- Install setroubleshoot-server package.
- This package provides tools to help diagnose SELinux problems.
- When AVC messages are generated an alert can be generated that will give information about the problem and help track its resolution
- To install it, type the command below
sudo yum install setroubleshoot-server -y- The policycoreutils-python package contains the management tools use to manage an SELinux environment.
- If you installed setroubleshoot-server, it installs policycoreutils-python as a dependency, hence you can skip this step if you installed setroubleshoot-server package.
### RHEL 7 based systems ###
sudo yum install policycoreutils-python
### RHEL 8 based systems ###
sudo yum install policycoreutils-python3
- Another package to install is policycoreutils-devel
- Policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
- This package helps us to generate selinux man pages
- You can have a look at what provides sepolicy which actually is SELinux man pages generating utility provided by policycoreutils-devel package.
sudo yum provides */sepolicy
sudo yum install policycoreutils-develNow that you have all the required packages. Let;s generate SELinux man pages.
How To Generate SELinux man pages
The command sepolicy manpage is used to generate a man page based on the installed SELinux Policy.
The common options available are:
- -a, –all – Generate Man Pages for All Domains
- -d, –domain – Generate a Man Page for the specified domain. (Supports multiple commands)
- -h, –help – Display help message
- -p, –path – Specify the directory to store the created man pages. (Default to /tmp)-r,
- -r, –root – Specify alternate root directory to generate man pages from. (Default to /)
- -w, –web – Generate an additional HTML man pages for the specified domain(s).
Generate selinux man pages by typing:
sudo sepolicy manpage -a -p /usr/share/man/man8/From the options used above, we told sepolicy manpage to generate Man Pages for all domains and the path to store the man pages is /usr/share/man/man8/
After generating man pages, now it’s time to update the man page database so that we can make use of the man pages generated by sepolicy manpage command.
You can now update man pages database. we are going to use the command mandb, which is used to initialise or manually update index database caches that are usually maintained by man
sudo mandbIf you now search for all selinux man pages, you’ll get a long list, try it yourself by typing the command below:
$ man -k _selinuxTo strip down the search a little bit, pipe the output to grep command, look at the examples below:
- man -k _selinux | grep httpd > To search for selinux httpd related man pages
- man -k _selinux | egrep ‘samba|smb’ > To search for samba related selinux man pages
- man -k _selinux | egrep *nfs > To search for nfs daemon related selinux man pages
You’ve seen how easy it can be to get SELinux man page you want using grep.
$ man -k _selinux | grep httpd
 apache_selinux (8) - Security Enhanced Linux Policy for the httpd processes
 httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper processes
 httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd processes
 httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes
 httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelogs processes
 httpd_selinux (8) - Security Enhanced Linux Policy for the httpd processes
 httpd_suexec_selinux (8) - Security Enhanced Linux Policy for the httpd_suexec processes
 httpd_sys_script_selinux (8) - Security Enhanced Linux Policy for the httpd_sys_script processes
 httpd_unconfined_script_selinux (8) - Security Enhanced Linux Policy for the httpd_unconfined_script processes
 httpd_user_script_selinux (8) - Security Enhanced Linux Policy for the httpd_user_script processesThat’s all for today. In our next article, we’ll look at how we can manage files and ports on a Linux system with SELinux running in enforcing mode. I hope this article was helpful and thank you for reading. If you encounter any problem or difficulty, let me know by dropping comment on the comment section.
More security related guides:


 
                                    







