Introduction To SELinux | How To Set Up SELinux

Introduction:

Security Enhanced Linux (SELinux) is an additional layer of system security. A primary goal of SELinux is to protect user data from system services that have been compromised. Most Linux administrator are familar with the standard user/group/other permission security model. This is a user and group-based model known as discretionary access control. SELinux provides an additional layer of security that is object-based and controlled by more sophisticated rules, known as mandatory access control.

SELinux is a set of security rules that determine which process can access which files, directories, and ports. Every file, process, directory and port has a special security label called a SELinux context. A context is a name that is used by the SELinux policy to determine whether a process can access a file, directory, or port. By default, the policy does not allow any interaction unless an explicit rule grants access. If there is no allow rule, no access is allowed.

Many commands that deal with files have an option (usually -z) to display or set SELinux context. For instance, ps, ls, cp, and mkdir all use the -z option to display or set SELinux context.

SELinux modes:

For troubleshooting purpose, SELinux protection can be temporarily disabled using SELinux modes. There are three modes in SELinux.

1) Enforcing mode: In enforcing mode, SELinux actively denies access to the web server attempting to read files with tmp_t type context. In enforcing mode, SELinux both logs and protects.

2) Permissive mode: Permissive mode is often used to troubleshoot issue. In permissive mode, SELinux allows all interactions, even if no explicit rule, and it logs those interactions it would have denied in enforcing mode. This mode can be used to temporarily allow access to content that SELinux is restricting. No reboot is required to go from enforcing to permissive or back again.

3) Disabled: This mode completely disables SELinux. A system reboot is required to disable SELinux entirely or to get from disabled mode to enforcing or permissive mode.

SELinux Booleans:

SELinux Booleans are switches that change the behavior of the SELinux policy. SELinux Booleans are rules that can be enabled or disabled. They can be used by security administrators to tune the policy to make selective adjustments.

The getsebool command is used to display SELinux Booleans and theri current value. The -a option causes thi command to list all of the booleans.

[root@asim ~]#getsebool -a

Display the current SELinux mode
[root@asim ~]#getenforce
change the default SELinux mode to permissive and reboot.
[root@asim ~]#vim /etc/selinux/config
[root@asim ~]#grep ‘^SELINUX’ /etc/selinux/config

SELINUX=permissive
SELINUX=targeted
[root@asim ~]#reboot
set the current SELinux mode to enforcing
[root@asim ~]#setenforce 1 [root@asim ~]#getenforce
Display the SELinux Booleans
[root@asim ~]#getsebool –a
[root@asim ~]#getsebool httpd_enable_homedirs
Set the SELinux Booleans
[root@asim ~]#setsebool httpd_enable_homedirs on
[root@asim ~]#semanage boolean -l | grep httpd_enable_homedirs
[root@asim ~]#getsebool httpd_enable_homedirs
[root@asim ~]#setsebool -p httpd_enable_homedirs on
[root@asim ~]#semanage boolean -l | grep httpd_enable_homedirs
To list local modification of SELinux Booleans
[root@asim ~]#semanage boolean -l -c

Leave a Reply

Your email address will not be published.