Docs / Security / How to Configure SELinux on AlmaLinux

How to Configure SELinux on AlmaLinux

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 26 views · 3 min read

How to Configure SELinux on AlmaLinux

Security-Enhanced Linux (SELinux) is a mandatory access control system built into the Linux kernel. On AlmaLinux-based Breeze instances, SELinux provides an additional layer of security by enforcing strict policies that limit what processes and users can do, even if they have root privileges.

Understanding SELinux Modes

SELinux operates in three modes:

  • Enforcing — policies are enforced and violations are blocked and logged
  • Permissive — policies are not enforced but violations are logged for troubleshooting
  • Disabled — SELinux is completely turned off (not recommended)

Check the current status:

sestatus
getenforce

Setting SELinux Mode

Temporarily switch modes without rebooting:

# Switch to permissive for debugging
sudo setenforce 0

# Switch back to enforcing
sudo setenforce 1

For a permanent change, edit /etc/selinux/config:

SELINUX=enforcing
SELINUXTYPE=targeted

Managing SELinux Booleans

Booleans let you toggle specific policy rules without writing custom modules:

# List all booleans
getsebool -a

# Allow Apache to connect to the network
sudo setsebool -P httpd_can_network_connect on

# Allow Apache to send mail
sudo setsebool -P httpd_can_sendmail on

# Allow Apache to read home directories
sudo setsebool -P httpd_enable_homedirs on

Working with File Contexts

SELinux labels every file with a security context. If files have incorrect labels, services may fail:

# View file contexts
ls -Z /var/www/html/

# Restore default contexts
sudo restorecon -Rv /var/www/html/

# Set a custom context on a directory
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/myapp(/.*)?"
sudo restorecon -Rv /srv/myapp/

Allowing Non-Standard Ports

If your web server or application uses a non-standard port, SELinux will block it by default:

# Allow Apache on port 8080
sudo semanage port -a -t http_port_t -p tcp 8080

# List allowed ports for a type
sudo semanage port -l | grep http_port_t

Troubleshooting SELinux Denials

When SELinux blocks an action, it logs the denial in the audit log:

# View recent denials
sudo ausearch -m avc -ts recent

# Use audit2why to explain denials
sudo ausearch -m avc -ts recent | audit2why

# Generate a custom policy module from denials
sudo ausearch -m avc -ts recent | audit2allow -M mypolicy
sudo semodule -i mypolicy.pp

Best Practices

  • Never disable SELinux — use permissive mode temporarily when troubleshooting
  • Use targeted policy — it confines specific services while leaving others unconfined
  • Label files correctly — always run restorecon after moving files
  • Audit regularly — review /var/log/audit/audit.log for policy violations
  • Test in permissive first — switch to permissive, test your application, resolve denials, then enforce

Properly configured SELinux significantly reduces the attack surface on your Breeze instance by containing compromised processes within strict security boundaries.

Was this article helpful?

Related Articles