← All chapters · Book · Repository
Chapter 11: SELinux Answers
Red Hat RHCSA 10 Study Companion: Getting Ready for the EX200 Exam by Andrey Markelov (May 2026).
Topics
- SELinux contexts
- File and port labeling
- SELinux booleans
exercise_01.sh
executable safe: yes#!/bin/bash
# @type: executable
# @requires: none
# @safe: yes
set -euo pipefail
# Exercise 1: Write the two commands necessary to check the SELinux context (label)
# for both the running sshd process and the /etc/ssh/sshd_config file.
#
# Task: Display SELinux contexts for process and file.
echo "=== SELinux context for sshd process ==="
ps -eZ | grep sshd
echo ""
echo "=== SELinux context for /etc/ssh/sshd_config ==="
ls -Z /etc/ssh/sshd_config
exercise_02.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 2: You have created a new directory, /srv/www/, which needs to be served by Apache.
# Write the two commands required to permanently set the context for this directory
# and all its contents to httpd_sys_content_t.
#
# Task: Set SELinux context for Apache web content directory.
# Add the context rule permanently
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
# Apply the context to the directory
sudo restorecon -Rv /srv/www
echo ""
echo "SELinux context has been set for /srv/www"
exercise_03.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 3: The company wants to run a secondary HTTP server on port 8988.
# Write the command to permanently label TCP port 8988 as a valid http_port_t port.
#
# Task: Add a custom port to SELinux http_port_t type.
sudo semanage port -a -t http_port_t -p tcp 8988
echo ""
echo "Port 8988 has been added to http_port_t"
echo ""
sudo semanage port -l | grep http_port_t
exercise_04.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 4: Find and enable the SELinux boolean permanently that allows the Apache web server to use NFS.
#
# Task: Enable SELinux boolean for Apache NFS access.
echo "Searching for NFS-related Apache booleans..."
sudo semanage boolean -l | grep nfs | grep http
echo ""
echo "Enabling httpd_use_nfs boolean permanently..."
sudo setsebool -P httpd_use_nfs on
echo ""
echo "Boolean has been enabled."