Kerry Hall

SE Linux example

Here's a quick demonstration of how to use SE Linux to prevent a process from accessing a file.

Create a new VM with Vagrant, ssh in and become root:

vagrant init generic/centos9
vagrant up
vagrant ssh
sudo su -

Install apache:

dnf install httpd -y

Create a minimal vhost:

vim /etc/ 

<VirtualHost/>

Create a minimal index.html:
Remove the default page:

rm /etc/httpd/conf.d/welcome.conf

Start apache:

systemctl start httpd

Allow inbound TCP connections on port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

Get the ip of your VM:

ip addr show

Edit your /etc/hosts file to add an entry for your vm:

<ip of your vm> example.test

You might need to restart your browser after adding this entry.
Visit the url example.test in your browser and confirm you can see your test page.

Check that SE Linux is enforcing:

getenforce

Check the SE Linux context of your file:

ls -Z /var/www/html/index.html

Change the context to default, which cannot be accessed by apache:

chcon -t default_t  /var/www/html/index.html

Now try visiting example.test in your browser again. You should see You can also do:

curl -I example.test

Logout from root:

ctrl + d

Logout from ssh: ctrl + d Clean up: vagrant destroy Remove the test file from your /etc/hosts file.