Audience and Prerequisites
This is intended for Linux users who have experience working with the command line. You should be running any Red Hat-based distributions such as Rocky Linux, AlmaLinux, or Oracle Linux. CentOS Stream is not a candidate for taking the RHCSA (Red Hat Certified System Administrator) exam. A lot of people in the Linux community are not happy about Red Hat discontinuing support for CentOS 8 and now Red Hat does not want source code to be available for everyone, including Rocky Linux and AlmaLinux. Enough with wordy paragraphs! We don't want anyone to scroll down too much in order to get to the most important part! Let's get into the command line, shall we?
Oh, please pardon me for boring you with this, but I almost forgot. This article assumes that you are logged in as a root user. This is bad security practice in the production environment, but in the exam, it's okay to be root. If you break it, you fix it and that will count against your time in the exam. But the important thing is that you must come up with solutions as fast as possible. Of course, don't be in a hurry in such a way that you will fail the exam. Okay, enough already! Let's get in with it! *grinning face*
Type: File Contexts
The command for listing all available SELinux type contexts is:
The command for listing only the type contexts that relate to the web server:
seinfo -t | grep httpd
So, you searched for anything related to
httpd and you came across
httpd_sys_content_t. You need to specify a directory to host your
content other than in
/var/www. To add the type context to a directory,
the command will be as follows:
semanage fcontext -a -t httpd_sys_content_t "/data/nas/www(/.*)?" restorecon /data/nas/www
semanage fcontext --add --type httpd_sys_content_t "/data/nas/www(/.*)?"
seinfo command is the SELinux policy information tool,
is a SELinux policy management tool, and
restorecon is for restoring default
SELinux security contexts to files and directories. The "type" contexts is the only one to be
to be concerned about when studying for any Linux exams, such as RHCSA (Red Hat Certified
(/.*)?, that's called a regular expression. This is for setting any
subdirectories and files with the same context as the main directory. Try to remember this in
the RHCSA exam: open parenthesis, forward slash, period, asterisk, close parenthesis, question
mark, and that's about it. The only thing to remember is to have the entire path along with
the symbols in double quotes. In the RHCSA exam, you have access to the man pages, so take
advantage of that whenever possible.
For users of NVDA screen reader (Non-Visual Desktop Access), NVDA does not speak a question mark such as CTRL+? (control plus question mark). I do not know if this is a bug in the screen reader or if this is intentional, but at least it's all I can do to help out if screen readers ignore question marks. That symbol is an important part of a regular expression, so it needs to be translated to words. Hopefully I can be of help.
Type: Contexts for Ports
What about ports? If you modify the port number in SSH configuration file
/etc/ssh/sshd_config) and you restart the service
systemctl restart sshd), even if you configure the firewall to allow a different
port number (example:
firewall-cmd --add-port 12345 --permanent), you won't be
able to SSH into your server because SELinux gets in the way! It's easy to disable SELinux if
you do not mind exposing your server to outside security risks, but when studying for the exam,
it's important to never disable SELinux. Instead, let's search for port-related contexts.
Let's search for any services that have a phrase "port" for any type contexts:
seinfo -t | grep port
You should get a list of services. Let's narrow it down to SSH:
seinfo -t | grep port | grep ssh
Ah ha! There it is. It's
ssh_port_t. Of course, I could also type the
seinfo -t | grep ssh_port
And that should give me the same output. So, let's configure SELinux to allow TCP port 12345 so that we can SSH into our Linux server.
semanage port -a -t ssh_port_t -p tcp 12345
And there you have it! You should now login to your server using SSH.
ssh -p 12345 username@servernameoripaddress
Of course, if you want to search for other services, such as Postfix:
seinfo -t | grep postfix
Oh, wow! So many contexts to choose from! But aren't we looking for port-related contexts?
seinfo -t | grep port | grep postfix
Hmm... There are no port-related contexts related to Postfix. Of course, what we do want is SMTP, which is port 25 by default, so let's narrow it down to just "port" and "SMTP" (all lowercase, of course).
seinfo -t | grep port | grep smtp # or "seinfo -t | grep smtp_port" (without quotes)
And you should get
smtp_port_t. However, configuring an SMTP
server is beyond the scope of this tutorial about viewing the list of
available contexts. Plus, configuring firewalls and enabling/starting
services in a Linux server is also beyond the scope as well.
What Packages Provides
dnf whatprovides */seinfo
The asterisk represents a wildcard, so this would assume that we do not
know the full path to
seinfo command. That
command, when executed, reveals a package called
So, so install
setools-console, just use the
command as follows:
dnf install setools-console
The same is for
dnf whatprovides */semanage dnf install policycoreutils-python-utils
policycoreutils-python-utils is so wordy, isn't it?
Don't stress over trying to remember that package name in the exam and in the
I hope I can be of help to anyone studying for RHCSA exam. Hopefully you should be able to know how to set SELinux type contexts for directories and ports. If you are not taking an exam (you should if you want to further your career in Linux and Information Technology), I hope I can be of help as well! Have fun administrating your Linux servers!
And yes, I could have used emojis, but screen readers come first! *smile*
Article published: 2023-08-12 13:10
Categories: The World of Computers, Computers, Information Technology, Security