Man, you're the best. Please continue with what you're doing

This was a good intro to SELinux from the prospective of a web developer. Thank you Juriy

After several hours of messing with nginx configs, this finally explained and solved my problem. Thank you.

Finally i found your tutorial that saved my life for programming python on fedora !!!

I've been looking for days to solve a connection error, many many thanks

A million thanks! Every detail is soooooooo important!

Very nicely done: good info in a small enough package with useful commands!

love this series, I learn a lot from your video. Thank you so much

Nice video, thanks!

This course was amazing, it is only missing a firewall tutorial. Will you be planning on adding that?

your video save my night....

Been using Linux for more than a year now but haven't heard about SELinux; thanks for the time for introducing us about it. Some clarifications though: Does httpd_can_network_connect only specifically allow Nginx? Does httpd_enable_homedirs always come in pair with httpd_sys_content_t?

On LinuxMint: Mandatory Access Control os done with AppArmor

Should I be worried about the file's user saying unconfined_u? Should I change it back to system_u? unconfined doesn't just doesn't sound good.

Currently, I am testing SELinux on an Ubuntu 22.04.4 virtual machine & when I enable enforcing, mode the network gets turned off. Funny enough, when I enabled permissive mode, the network is restored. Am I configuring it wrong?

You should not use httpd_sys_content_t on your home dir. This may break other things. There is a separate type to use on user content.

I noticed that with Vultr CentOS, SELinux isn't enabled, `get enforce` outputs `Disabled` for me. I have CentOS Linux release 7.6.1810 (Core). So now I'm wondering, should I enable SELinux purposely, following Digital Ocean's guide, www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts. @Juriy, can I have the link you were referring to in 2:21?

Hi Juriy! My CentOS 8 getenforce = Disabled. And I can't find the link about enabling this. Could you please help? By the way I've just ruined my server with wrong instructions from another site((((

pls pls do more on SEliux

whats in the easyio ffile

Hi Juriy, I saw the another video from your channel (Installing and Configuring NGINX on CentOS) and thats why I am here. But I use a centos distro from my provider (vultr) and I can not enable SElinux. typing getenforce 0 or 1, does not matter.. I can not enable. Do you know how can I fix this?

SEL is way too complicated, apps change way too fast, including their dependencies, I'm not sure if it's worth the trouble. And really, it hasn't gone that far ever since it was introduced decades ago, things are just as I left them as far as I remember. Nowadays you have containers and VMs, there are no ways to escape out of them, and it's much easier and safer imho. In the past, even this kind of thing was difficult to set up, a custom chroot was a lot of work. Now it's easy, it's not efficient, you drop a whole unnecessary minimal OS in that docker, but it's easy. And people managed to make minimal versions of their distros somewhat better than what they used to be.

TROUBLESHOOT SELINUX 1.Change SELinux to permissive mode, so that it only do logging, but not enforcing. # setenforce 0 2.Check the log, by keyword search on the log: # cat /var/log/messages | grep "SELinux is preventing" These are the errors if it is enforcing, there is a command like run: # sealert -l 2bea6d06-41ed-4164-b30e-488865696951 We can use it to check the details by running the above command. Pay attention to the timestamp too. 3. Run “sealert” command to get a suggested solution After running “sealert” command, there will be a solution, it usually ask the user to run several terminal commands like these: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp 4. Create a folder for future reference before running the suggested solution, because solution command might create files like my-gunicorn.pp my-gunicorn.te # mkdir ~/Documents/selinuxsolution 5. Run the suggested command in sealert # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp 6. Fix "SELinux is preventing" problems one by one, assuming now SELinux is in permissive mode, make sure the web service is running fine, then turn on SELinux: Edit /etc/selinux/config OR /etc/sysconfig/selinux Then run this command # setenfore 1 The Web service should still be running after turning on SELinux