Getting SELinux working can be tough. Here are some commands I found useful.

Show the security context of a file:
ls -lZ

Copy the context from one file to another:
chcon --reference=<source> <destination>

Create a rule from an audit log (contained in /tmp/selinux):
/usr/bin/audit2allow -i /tmp/selinux
Explain an audit log (that appears in dmesg):
/usr/bin/audit2why -d
Reading an audit entry:
Jun 21 16:13:16 soldier kernel: audit(1182456796.114:8413): avc:  denied  { read } for  pid=2692 comm="sendmail" name="[2063705]" dev=eventpollfs ino=2063705 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file

  • scontext is the source security context (what SELinux needs to allow access)
  • tcontext is for target security context (what was actually on the file)
  • tclass is the target security class
Show all SELinux boolean settings:
/usr/sbin/getsebool -a
Set an SELinux boolean (permanently):
/usr/sbin/setsebool -P spamassassin_can_network=1
To relabel based on an RPM's directions:
fixfiles -R mailman restore
To relabel the entire filesystem:
fixfiles relabel