SElinux

Basics

Activate / deactivate selinux : setenforce 1/0

Get all boolean available getsebool -a

Activate a seboolean :
setsebool -P use_nfs_home_dirs on
-P is for persitant so it will stays after reboot

Advanced

You can create rules if some stuff are now allowed and not in a boolean.
This is what audit logs are made for. For example let’s say HAproxy can’t read socket to write logs we can search in audit logs to see :

grep haproxy /var/log/audit/audit.log
Yep it’s not readable at all but you can ask your system to create a rule based on those stuff with this command :
grep haproxy /var/log/audit/audit.log|audit2allow
It will return something like that :
module rsyslog 1.0;

require {
	type syslogd_t;
	type haproxy_var_lib_t;
	class sock_file { create setattr };
	class dir { add_name search write };
}

#============= syslogd_t ==============
allow syslogd_t haproxy_var_lib_t:dir { add_name search write };
allow syslogd_t haproxy_var_lib_t:sock_file { create setattr };

Which can be used to build a rule :

grep haproxy /var/log/audit/audit.log|audit2allow -m haproxy > haproxy.te
checkmodule -M -m -o haproxy.mod haproxy.te
semodule_package -o haproxy.pp -m haproxy.mod
semodule -i haproxy.pp

These commands create a rule and install it.
You can easily remove it after if you want with the command :
semodule -r haproxy