Complete SELinux Administration & Troubleshooting Guide

Learn SELinux modes, contexts, booleans, and access-denial troubleshooting for secure Linux environments.

3) Advanced Linux Administration – Complete Tutorials

3.1) SELinux (Enforcing, Permissive, Troubleshooting)


SELinux Modes

Check mode:


getenforce

Set enforcing:


setenforce 1

Set permissive:


setenforce 0

Check Status


sestatus

File Contexts

View context:


ls -Z /var/www/html

Add custom context:


semanage fcontext -a -t httpd_sys_content_t "/project(/.*)?"
restorecon -Rv /project

Policy Troubleshooting

Check AVC denials:


ausearch -m avc -ts recent

Auto suggestions:


sealert -a /var/log/audit/audit.log

3.2) Kernel Upgrades & Tuning


Check Current Kernel


uname -r

List Available Kernels


dnf list kernel

Install Latest Kernel


dnf install kernel

Tuning Using sysctl

View:


sysctl -a

Set temporarily:


sysctl -w net.ipv4.tcp_syncookies=1

Make permanent:


echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p

3.3) GRUB Recovery & Boot Troubleshooting


GRUB Rescue Mode Fix

In:


grub rescue>

Run:


ls
set prefix=(hd0,msdos1)/boot/grub2
set root=(hd0,msdos1)
insmod normal
normal

Rebuild GRUB


grub2-install /dev/sda
grub2-mkconfig -o /boot/grub2/grub.cfg

3.4) yum/dnf Package Management (Advanced)


Check History


dnf history

Rollback:


dnf history undo 20

Clean Repos


dnf clean all
dnf makecache

Version Lock

Install:


dnf install python3-dnf-plugin-versionlock

Lock:


dnf versionlock add kernel

3.5) Monitoring Tools: top, ps, sar, vmstat, iostat

top

Start:


top

Sort by memory (Shift+M).

ps

Top CPU processes:


ps aux --sort=-%cpu | head

sar

Enable:


systemctl enable --now sysstat

CPU report:


sar -u 1 5

vmstat


vmstat 2 5

iostat


iostat -xz 2

3.6) Multipathing

Install Multipath Tools


dnf install device-mapper-multipath
mpathconf --enable --with_multipathd y

Check Multipath Devices


multipath -ll

Sample output:


mpatha (36000d3100435a3bd12c...) dm-2

3.7) iSCSI Target & Initiator

On Target Server

Start tool:


targetcli

Create disk:


/backstores/fileio create disk1 /storage/d1.img 10G

Create target:


/iscsi create iqn.2025-01.com.example:share

Map LUN:


/iscsi/.../tpg1/luns create /backstores/fileio/disk1

Set ACL:


/iscsi/.../tpg1/acls create iqn.client.node

On Initiator

Install:


dnf install iscsi-initiator-utils

Discover targets:


iscsiadm -m discovery -t st -p <server-ip>

Login:


iscsiadm -m node --login

Check disk:


lsblk

3.8) NTP Configuration

Install:


dnf install chrony
systemctl enable --now chronyd

Add NTP server:


server 0.pool.ntp.org iburst

Check sync:


chronyc sources
chronyc tracking

3.9) High Availability (HA) Concepts

Key HA Components

ComponentDescription
PacemakerManages cluster resources
CorosyncMessaging between nodes
Fencing/STONITHIsolates failed nodes
QuorumMinimum votes to keep cluster active

Example Pacemaker Resource


pcs resource create Web apache