This article has been migrate from the old blog.

How to use selinux on your Redhat/CentOS server.

Check if selinux is enabled/disabled:


Disable on the fly selinux

setenforce 0

Enable on-the-fly selinux

setenforce 1

Install utilities to be able to change selinux policies

yum install policycoreutils policycoreutils-python
yum install -y setroubleshoot

Check for selinux errors

cat /var/log/audit/audit.* /var/log/messages* | audit2allow

Create selinux rules based on what was found on logs

cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M mysemanage

Apply the rules on the system

sudo semodule -i mysemanage.pp

In case you run in to trouble and even after applying the pp file your app will still be blocked use the following commands

semodule -BD

After run again the command to generate the rules and apply the new rules and after run the below command

semodule -B


  • Disable selinux
    setenforce 0
  • Run the app which is blocked be selinux, after check selinux logs with the command
    cat /var/log/audit/audit.* /var/log/messages* | audit2allow
  • Build the rules with the command
    cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M myapprule
  • Apply the created rule
    sudo semodule -i myapprule.pp
  • Enable selinux
    setenforce 1
  • Test your app
  • If the above steps doesn’t work then
    echo 0 > /selinux/enforce
  • Clean selinux rules
    semodule -BD
  • Go back and do the steps 2,3,4,5 and 6. If your app works then run the command
    semodule -B
  • After applying the new rule do not run the process again. You will most probably lose all the policies. In case you have a new feature which is blocked by selinux run the followings commands
    cat /var/log/audit/audit.* /var/log/messages* | audit2allow
  • Find in the list which policy is blocked. Will look like this
    #!!!! This avc can be allowed using the boolean 'httpd_use_nfs' 
    allow httpd_t nfs_t:dir write;
  • Check your selinux policy and you will see that httpd_use_nfs = off
    getsebool -a | grep httpd
  • Enable the policy
    setsebool -P httpd_use_nfs 1
  • Restore selinux context to a folder
    restorecon -R -v /folder_name
  • To update an existing .te selinux policy follow the steps below
    checkmodule -M -m -o mysemanage.mod mysemanage.te
    semodule_package -m mysemanage.mod -o mysemanage.pp
  • The new created selinux policy can be applied
    semodule -i mysemanage.pp