To get the status of selinux
getenforce
sestatus
cat /etc/selinux/config
To get the context of files/processes/ports/users
ls -Z
ps -Z
ss -Z
id -Z
Set the status to permissive setenforce 0
Get all booleans getsebool -a
Set a boolean permanently setsebool foo_bar 1 -P
Get all changed booleans cat /var/lib/selinux/targeted/active/booleans.local
Set a context chcon -t foo /path/to/bar
Set all files to the right context in the directory restorecon -vR /path/bar
Create a rule with semanage for /foo and for the httpd semanage fcontext -a -t httpd_sys_content_t "/foo(/.*)?"
or semanage -a -e /var/www/html /foo
Run restorecon restorecon -vR /foo
To create a module, you need to set selinux in permissive mode and test the application with all its features setenforce 0
then check the journalctl log journalctl and search for sealert, then run sealert -l <uuid>
and run the following commands from the output
grep foobar /var/log/audit/audit.log | audit2allow -M mypol
sudo semodule -i mypol.pp