Summary

You can configure the targeted policy set from RHEL, by setting file contexts, booleans, and resource labels, to match configuration changes in system services.

SELinux booleans enable RHEL to provide a very restrictive default policy for its confined services while enabling system administrators to relax the policies to selectively enable optional features of a system service.

AVC errors from SELinux include a lot of information, such as the domain and resource contexts, process IDs, user IDs, and file paths.

The audit2why and sealert tools help with interpreting AVC errors and suggest actions to fix the error, if you want to allow an application to perform the task which was denied by SELinux.

You shouldn’t blindly trust the suggestions from the SELinux tools. You should make a decision of either configuring the policies from RHEL or creating a new custom policy.

The SELinux system role facilitates applying consistent settings to RHEL machines regarding file contexts, booleans, and ensuring SELinux is enforcing policies.