Create 2 directories in /root, "secure" and "protect". Set the SELinux type of secure to system_conf_t, and set the type of protect to etc_t.

Create a file called "test1" in secure, and "test2" in protect. Look at the types of these files. How does the types of these new files get decided?
The types come from the process transition info The types come from the type transition info Types come from the restorecon database Types are inherited from the parent Types are inherited from /root

Copy test1 to protect/test3. What happens to the test3 type in comparison to test1?
The type of test1 is copied to test3 The type of test3 is taken from protect The type of test3 is taken from the restorecon database The type of test3 is taken from a process transition rule The type of test3 is taken from a file transition rule

Rename secure/test1 to protect/test4. What happens to the test4 type in comparison to the type test1 was when it was in secure (system_conf_t)?
The type of test1 is moved to test4 The type of test4 is changed to match the parent The type of test4 is taken from the restorecon database The type of test4 is taken from a process transition rule The type of test4 is taken from a file transition rule

Use matchpathcon to find the type which would be set if you did a restorecon on protect/test2. Save the output of matchpathcon to /root/match1. What type would be set if you did do restorecon?

Use semanage and list all of the fcontext entries, grepping the list for those which start with /root. Grep through this with the restorecon type from the previous question. This should reduce the list to just 1 regular expression, i.e. the one which matchpathcon used to produce the answer above. What is that expression?

Add a rule to semanage fcontext so that any files in /root/ which end with .bin will be set to type bin_t. Create a file /root/test.bin and do a restorecon on that file to confirm it takes on bin_t.

In this section we will practice accessing and using a selinux boolean.

There is a boolean called httpd_tmp_exec. Is the boolean on or off?
Select right option off on

Change the boolean called httpd_tmp_exec to on.

Find out all allow rules which are switched on by setting this boolean to on. Save the output of sesearch to /root/boolrule. When you search, find all rules, unrestricted by source types.

Click on the button to cause a mislabelling error for httpd.

Start httpd with systemctl. It should fail... this should cause an event.

Save the AVC event to /root/event. MAKE SURE ONLY THE AVC EVENT IS SAVED, AND THERE IS ONLY 1 AVC LINE.

Use the inode information from the event. What is the full pathname of the directory in the event?

Use restorecon on that single directory to fix the label. Confirm that httpd now starts.