Skip to content.

A Note About Website Navigation

Skip to main menu.

For users of screen readers, depending on the screen resolution, the two checkboxes are for opening and closing the side menus that appear to the left and right side of the screen. This is designed both for large screens and for mobile devices with a touch screen. Checking either the main menu or sidebar checkboxes causes the menu to open from the left or right side of the screen, respectively. Clearing the checkox in either the main menu or sidebar closes the menu. The checkboxes are visible to screen readers such as JAWS and NVDA for Windows, Voiceover for Mac, and Orca screen reader for Linux. When a screen reader says "clickable" for both main menu and sidebar, that is for the respective checkboxes. End of explaination.

Viewing Single Blog Post

How To List All SELinux Contexts

Audience and Prerequisites

This is intended for Linux users who have experience working with the command line. You should be running any Red Hat-based distributions such as Rocky Linux, AlmaLinux, or Oracle Linux. CentOS Stream is not a candidate for taking the RHCSA (Red Hat Certified System Administrator) exam. A lot of people in the Linux community are not happy about Red Hat discontinuing support for CentOS 8 and now Red Hat does not want source code to be available for everyone, including Rocky Linux and AlmaLinux. Enough with wordy paragraphs! We don't want anyone to scroll down too much in order to get to the most important part! Let's get into the command line, shall we?

Oh, please pardon me for boring you with this, but I almost forgot. This article assumes that you are logged in as a root user. This is bad security practice in the production environment, but in the exam, it's okay to be root. If you break it, you fix it and that will count against your time in the exam. But the important thing is that you must come up with solutions as fast as possible. Of course, don't be in a hurry in such a way that you will fail the exam. Okay, enough already! Let's get in with it! *grinning face*

Type: File Contexts

The command for listing all available SELinux type contexts is:

seinfo -t

The command for listing only the type contexts that relate to the web server:

seinfo -t | grep httpd

So, you searched for anything related to httpd and you came across httpd_sys_content_t. You need to specify a directory to host your content other than in /var/www. To add the type context to a directory, the command will be as follows:

semanage fcontext -a -t httpd_sys_content_t "/data/nas/www(/.*)?"
restorecon /data/nas/www

Longer version:

semanage fcontext --add --type httpd_sys_content_t "/data/nas/www(/.*)?"

The seinfo command is the SELinux policy information tool, semanage is a SELinux policy management tool, and restorecon is for restoring default SELinux security contexts to files and directories. The "type" contexts is the only one to be to be concerned about when studying for any Linux exams, such as RHCSA (Red Hat Certified System Administrator).

As for (/.*)?, that's called a regular expression. This is for setting any subdirectories and files with the same context as the main directory. Try to remember this in the RHCSA exam: open parenthesis, forward slash, period, asterisk, close parenthesis, question mark, and that's about it. The only thing to remember is to have the entire path along with the symbols in double quotes. In the RHCSA exam, you have access to the man pages, so take advantage of that whenever possible.

For users of NVDA screen reader (Non-Visual Desktop Access), NVDA does not speak a question mark such as CTRL+? (control plus question mark). I do not know if this is a bug in the screen reader or if this is intentional, but at least it's all I can do to help out if screen readers ignore question marks. That symbol is an important part of a regular expression, so it needs to be translated to words. Hopefully I can be of help.

Type: Contexts for Ports

What about ports? If you modify the port number in SSH configuration file (/etc/ssh/sshd_config) and you restart the service (systemctl restart sshd), even if you configure the firewall to allow a different port number (example: firewall-cmd --add-port 12345 --permanent), you won't be able to SSH into your server because SELinux gets in the way! It's easy to disable SELinux if you do not mind exposing your server to outside security risks, but when studying for the exam, it's important to never disable SELinux. Instead, let's search for port-related contexts.

Let's search for any services that have a phrase "port" for any type contexts:

seinfo -t | grep port

You should get a list of services. Let's narrow it down to SSH:

seinfo -t | grep port | grep ssh

Ah ha! There it is. It's ssh_port_t. Of course, I could also type the following:

seinfo -t | grep ssh_port

And that should give me the same output. So, let's configure SELinux to allow TCP port 12345 so that we can SSH into our Linux server.

semanage port -a -t ssh_port_t -p tcp 12345

And there you have it! You should now login to your server using SSH.

ssh -p 12345 username@servernameoripaddress

Of course, if you want to search for other services, such as Postfix:

seinfo -t | grep postfix

Oh, wow! So many contexts to choose from! But aren't we looking for port-related contexts?

seinfo -t | grep port | grep postfix

Hmm... There are no port-related contexts related to Postfix. Of course, what we do want is SMTP, which is port 25 by default, so let's narrow it down to just "port" and "SMTP" (all lowercase, of course).

seinfo -t | grep port | grep smtp
# or "seinfo -t | grep smtp_port" (without quotes)

And you should get smtp_port_t. However, configuring an SMTP server is beyond the scope of this tutorial about viewing the list of available contexts. Plus, configuring firewalls and enabling/starting services in a Linux server is also beyond the scope as well.

What Packages Provides seinfo and semanage?

dnf whatprovides */seinfo

The asterisk represents a wildcard, so this would assume that we do not know the full path to seinfo command. That dnf command, when executed, reveals a package called setools-console. So, so install setools-console, just use the dnf install command as follows:

dnf install setools-console

The same is for semanage: 

dnf whatprovides */semanage
dnf install policycoreutils-python-utils

That package policycoreutils-python-utils is so wordy, isn't it? *smile* Don't stress over trying to remember that package name in the exam and in the real world.

Conclusion

I hope I can be of help to anyone studying for RHCSA exam. Hopefully you should be able to know how to set SELinux type contexts for directories and ports. If you are not taking an exam (you should if you want to further your career in Linux and Information Technology), I hope I can be of help as well! Have fun administrating your Linux servers!

And yes, I could have used emojis, but screen readers come first! *smile*

Article published: 2023-08-12 13:10

Categories: The World of Computers, Computers, Information Technology, Security,

About Grayson Peddie

Hello! I am a web developer and I have a passion for the world of Information Technology. I currently hold 4 CompTIA certificates (A+, Network+, Security+, and CySA+) including Cisco's CCNA (Cisco Certified Network Associate) certificate. Speaking of web development, I am a web accessibility enthusiast. I make sure that users of screen readers and keyboard users who cannot use a mouse can be able to access my website with just only the keyboard. Plus, I have learned a whole lot about Web Content Accessibility Guidelines.

So what are my hobbies? Aside from web development, I watch Star Trek: The Next Generation from time to time during the nights. I listen to music from the likes of David Arkenstone, Yanni, Checkfield, Cucso, Looreena McKennitt, Clannad, 2002, Enya, and even soundtrack from EPCOT Center (1982-1994), Tomorrowland, WALL-E, and TRON: Legacy. Oh, yes! Tomorrowland, TRON: Legacy, and WALL-E are the three movies I watch during Friday nights and every Friday night is my pizza night. I'm an optimist who likes to see what kind of future the world would look like. That's why I follow The Venus Project on Twitter (here's the website to The Venus Project. I do have a lot to cover in my introductory article in my website, so if you want to go in-depth and know more about me, that is the article to visit.