Table of content

SELinux in Linux

Security-Enhanced Linux is a kernel security cluster that gives a technique for providing access control security policies, and compulsory access controls.

It is a project of the United States National Security Agency and the SELinux group.

Installing SELinux utils in the ubuntu
install-selinux-utils-linux
selinux-commands-linux

SELinux Options

The options under SELinux are:

  • Enforcing = Enabled - It is enabled automatically in CentOS, Redhat, and Fedora.
  • Permissive = Disabled - It logs the activity.
  • Disabled = Disabled - It does not log activity.

To check the SELinux, run the command:

sestatus

Or:

getenforce

linux-selinux2

SELinux Setting

To set the SELinux to Permissive/Disabled we have to make the setenforce 0. To enable it back, we have to make the setenforce 1.

These settings are temporary and are no longer there once we reboot the system.

To make the setting permanent, modify the file /etc/selinux/config.orig and make the changes:

SELINUX=enforcing
SELINUX=disabled

linux-selinux1

Before changing the SELinux config file, create a snapshot of the VM.

Before rebooting the system, create a file /.autorelabel.

The main concepts of SELinux are:

  • Labeling - The labeling is of types: user, role, type and level.
  • Type enforcement.

To list the label of /usr/sbin/httpd, run the command:

ls -lz /usr/sbin/httpd

linux-selinux5

Here, user - system_u.

role - object_r.

type - httpd_exec_t.

level - s0.

To list the label of a directory /etc/httpd, run the command:

ls -dz /etc/httpd

linux-selinux6

To check the label of a process for example: httpd, run the command:

ps axZ | grep httpd

linux-selinux7

To check the label at the socket level, run the command:

netstat -tnlpZ | grep http

linux-selinux8

Command to manage SELinux setting is semanage. This can be used to change the following parameters:

  • label
  • login
  • user
  • port
  • interface
  • module
  • node
  • file context
  • boolean
  • permissive state
  • dontaudit

Boolean

The boolean is a switch with the ON/OFF mode. There are pre-existing out of box Booleans that come with SELinux.

For example, The FTP server accessing the home directories is determined by the ON/OFF mode of boolean. Or, an httpd can interact with LDAP depending on the boolean mode.

To get a list of all booleans, run the command:

getsebool -a

Or

semanage boolean -l

To enable or turn on booleans, run the command:

setsebool -P boolean_name on

For example, to make httpd connect to ftp, turn on the boolean with the command:

setsebool -P httpd_can_connect_ftp on

To get the boolean mode after connection of httpd with FTP, run the command:

getsebool -a | grep httpd_can_connect_ftp

linux-selinux9

Verify the error messages related to SELinux, run the command:

journalctl

To modify the type in a label, run the command:

chcon -t httpd_sys_content_t FILENAME

Or

semanage -t httpd_sys_content_t FILENAME

To disable SELinux, run the command:

vi /etc/selinux/config.orig

As the editor opens in INSERT mode, add the line:

SELINUX=disabled

Save and exit.

:wq!

Then, reboot the system with the command:

reboot

Again login root, run the command:

getenforce

linux-selinux10

About Author :

Myself Debomita Bhattacharjee, an IT employee with 6+ years of experience in Software industry. My area of interest is Automation testing and Front End Development.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions