Red Hat Enterprise SELinux Policy Administration

This training module and certification examination is discontinued by Red Hat.

The Red Hat Enterprise SELinux Policy Administration Exam is a performance-based test of the skills covered in RHS429 Red Hat Enterprise SELinux Policy Administration. RHS429 provides a four day tutorial on SELinux and SELinux policy writing.

In order to enroll in this exam, one must have an RHCE on a current release at the time of the exam. Upon passing the exam, one will have earned this additional Certificate of Expertise to one’s RHCE certification.

Counts towards RHCSS certifications

This Certificate of Expertise is one of the three required in order to earn the designation Red Hat Certified Security Specialist (RHCSS).

Red Hat Enterprise SELinux Policy Administration

Security-enhanced Linux (SELinux) is a powerful, kernel-level security layer that provides fine-grained control over which users and processes may access what resources and execute which programs on a system. Red Hat Enterprise SELinux Policy Administration (RHS429) introduces senior system administrators, security administrators, and application programmers to SELinux policy writing. Students will learn how SELinux works, how to manage, and how to write, compile and debug a SELinux policy. This class culminates in a major project to analyze, determine the security needs, design and implement a set of net new policies for a service previously unprotected by SELinux.


  • Experienced Linux system administrators responsible for Mandatory Access Control-based (MAC) security, or who want to harden their existing Linux system or networked services security.
  • An RHCE interested in earning a Red Hat Certification of Expertise, or a Red Hat Certified Security Specialist (RHCSS)
  • Experienced system administrators wanting to integrate directory service and authentication mechanisms across multiple operating systems


  • Red Hat Certified Engineer (RHCE) certification or equivalent experience
  • Students without an RHCE certification are encouraged to do a skills assessment online

Course Content

  • Introduction to SELinux
  • Using SELinux
  • The Red Hat targeted policy
  • Introduction to policies
  • Policy utilities
  • User and role security
  • Anatomy of a policy
  • Manipulating policies

Duration: 4 Days (32 hours)

Fee: Rs 15,000/- + service tax

Content Outline

  1. Introduction to SELinux
    • Discretionary Access Control vs. Mandatory Access Control
    • SELinux History and Architecture Overview
    • Elements of the SELinux security model:
      • user identity and role
      • domain and type
      • sensitivity and categories
      • security context
    • SELinux Policy and Red Hat’s Targeted Policy
    • Configuring Policy with Booleans
    • Archiving
    • Setting and Displaying Extended Attributes
    • Hands-on Lab: Understanding SELinux
  2. Using SELinux
    • Controlling SELinux
    • File Contexts
    • Relabeling Files and Filesystems
    • Mount options
    • Hand-on Lab: Working with SELinux
  3. The Red Hat Targeted Policy
    • Identifying and Toggling Protected Services
    • Apache Security Contexts and Configuration Booleans
    • Name Service Contexts and Configuration Booleans
    • Other Services
    • File Context for Special Directory Trees
    • Troubleshooting and avc Denial Messages
    • setroubleshootd and Logging
    • Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy
  4. Introduction to Policies
    • Policy Overview and Organisation
    • Compiling and Loading the Monolithic Policy and Policy Modules
    • Policy Type Enforcement Module Syntax
    • Object Classes
    • Hands-on Lab: Understanding policies
  5. Policy Utilities
    • Tools available for manipulating and analyzing policies
      • apol
      • seaudit and seaudit_report
      • checkpolicy
      • sesearch
      • sestatus
      • audit2allow and audit2why
      • sealert
      • avcstat
      • seinfo
      • semanage
      • Man pages
    • Hands-on Lab: Exploring Utilities
  6. User and Role Security
    • Role-based Access Control
    • Multi Category Security
    • Defining a Security Administrator
    • Multi-Level Security
    • The strict Policy
    • User Identification and Declaration
    • Role Identification and Declaration
    • Domain Transitions
    • Roles in Use in Transitions
    • Role Dominance
    • Hands-on Lab: Implementing User and Role Based Policy Restrictions
  7. Anatomy of a Policy
    • Policy Macros
    • Type Attributes and Aliases
    • Type Transitions
    • When and How do Files Get Labeled
    • restorecond
    • Customisable Types
    • Hands-on Lab: Building Policies
  8. Manipulating Policies
    • Installing and Compiling Policies
    • The Policy Language
    • Access Vector
    • SELinux logs
    • Security Identifiers – SIDs
    • Filesystem Labeling Behavior
    • Context on Network Objects
    • Creating and Using New Booleans
    • Manipulating Policy by Example
    • Macros
    • Enableaudit
    • Hands-on Lab: Compiling Policies
  9. Project
    • Best practices
    • Create File Contexts, Types and Typealiases
    • Edit and Create Network Contexts
    • Edit and Create Domains
    • Hands-on Lab: Editing and Writing Policy

Certification Examination

The EX429 SELinux Policy Administration Expertise Exam tests the ability of an RHCE to modify parameters within the included SELinux Policy in Red Hat Enterprise Linux and to configure custom SELinux policies.

Exam Format

The format is performance-based, meaning that candidates must perform tasks on live systems, rather than answering questions about how one might perform those tasks.


Candidates must be an RHCE on a release that is considered current in order to take this exam.

Components of the Exam

The Exam is organised into two sections:

  • SELinux Policy Writing: 2.5 hours
  • Targeted Policy System Maintenance: 1.0 hours

Duration: 3.5 Hours

Fee: Rs 12,500/- + service tax

Exam Objectives

Candidates should be able to perform the tasks listed below:

SELinux Policy Writing
  • Specify an enforcement mode
  • Specify a particular policy
  • Update a system to use the latest SELinux packages
  • Create and implement a custom policy module to support a given service, including:
    • Port bindings
    • File and directory access
    • Type transitions
    • Default file types
    • Booleans
    • Type Aliases
Targeted Policy System Maintenance
  • Specify an enforcement mode
  • Specify a particular policy
  • Modify an existing policy including:
    • Port bindings
    • File and directory access
    • Type transitions
    • Default file types
    • Booleans
    • Type Aliases
  • Backup/Restore a filesystem preserving SELinux attributes

As with all Red Hat performance-based exams, configurations must persist after reboot without intervention.