As SELinux is a bit of complicated compared to the tools that we use currently, I have thought it is good to have some tips here.

1) seinfo: This is the selinux query tool to see statistics about your policy.

2) sesearch: This is a very handy tool. When I started using SELinux, I was thinking that processes with a specific type are only allowed to make operations of the same type:) how stupid I am. Then I have seen by experience that policy can defines it and to see what a source can do, we can use sesearch. For example to search for httpd_t type source in order to see in which types it is associated with issue the following;

3) Restorecon

This is a very useful utility that allows you to restore types configured statically in the system. The only thing you should do is

However if your type is in /etc/selinux/targeted/contexts/customizable_types file then you have to add “-F” flag into the command, if you don’t nothing happens:)  As I have quoted text from Dan Walsh’s blog (RH engineer) , restorecon ignores these types and -F must be added.

• customizable_types
  • These are a list of file types that restorecon will ignore.  So if you want to relabel your entire system using restorecon, and a file is labeled with a context in this file, the context will not be changed.  This can be overridden with the -F flag.  This allows you to specify special directories on your system as being readable by apache.  So if you chcon -R -t httpd_sys_content_t  /var/myhtml, a relabel will not change this directory tree back to var_t.

Selinux User Guide: http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/index.html