SELinux Enforcing on an Anubiz Offshore VPS
If you chose the Rocky 9 or Alma 9 template at provisioning, SELinux is the right MAC layer (Ubuntu users want AppArmor instead). The Anubiz Rocky template ships SELinux in enforcing mode by default which is correct - this guide is about staying in enforcing without disabling it the first time a service breaks. Workflow: capture denials, generate a custom policy module, install, repeat.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Stay Enforcing
getenforce must return Enforcing. If it says Permissive, set SELINUX=enforcing in /etc/selinux/config and reboot.
Step 2: Standard Booleans
setsebool -P httpd_can_network_connect on for reverse proxies. nis_enabled, ssh_chroot_rw_homedirs, etc. getsebool -a lists them.
Step 3: Custom Contexts
App in /opt/myapp: semanage fcontext -a -t bin_t '/opt/myapp/bin(/.*)?'. restorecon -R /opt/myapp.
Step 4: audit2allow Workflow
App breaks: ausearch -m avc -ts recent | audit2allow -M myapp. semodule -i myapp.pp. Re-test. Iterate until denial-free.
Step 5: Verify
sealert -a /var/log/audit/audit.log for human-readable analysis if setroubleshoot is installed.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.