Uncover the infinite in IT

How Can We Help?
Table of Contents
< All Topics

SeLinux

SELinux, or Security-Enhanced Linux, is a security architecture integrated into the Linux kernel. It provides a flexible Mandatory Access Control (MAC) system that can be used to control the access of processes and users to system resources. In this tutorial, I’ll cover the basics of SELinux, including how to check its status, manage policies, and troubleshoot common issues.

1. Checking SELinux Status:

To check if SELinux is enabled or disabled on your system, you can use the sestatus command:

sestatus

Example output:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      34

2. Understanding SELinux Modes:

SELinux operates in three modes: Enforcing, Permissive, and Disabled.

# Set SELinux to Enforcing mode
sudo setenforce 1
# Set SELinux to Permissive mode
sudo setenforce 0
# Disable SELinux (requires a reboot)
sudo nano /etc/selinux/config
# Change SELINUX=enforcing to SELINUX=disabled
# Reboot the system

3. SELinux Policies:

To view information about the active policy:

sestatus -v

Example output:

Loaded policy name:             targeted

4. Working with SELinux Labels:

SELinux uses labels to determine access control for processes and files. Labels are associated with files, processes, and network ports. Use the ls command with the -Z option to display SELinux context:

ls -Z /etc/passwd

Example output:

-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

5. Managing SELinux Policies:

Installing and Updating Policies:

To install or update SELinux policy packages:

sudo yum install selinux-policy
sudo semodule -i mymodule.pp

Reloading Policies:

After making changes to policies, you can reload them without rebooting:

sudo semodule -r mymodule

6. Troubleshooting SELinux:

Reviewing SELinux Logs:

SELinux violations are logged in the audit log. You can use the ausearch and audit2why commands to review logs:

ausearch -m AVC -ts recent

Example output:

time->Thu Jan 27 15:30:00 2023
type=AVC msg=audit(1643316600.123:456): avc:  denied  { read } for  pid=1234 comm="example" name="example.txt" dev="sda1" ino=5678 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
audit2why < /var/log/audit/audit.log

Example output:

type=AVC msg=audit(1643316600.123:456): avc:  denied  { read } for  pid=1234 comm="example" name="example.txt" dev="sda1" ino=5678 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file

    Was caused by:
    The boolean domain_kernel_load_modules was set incorrectly.
    Description:
    Allow domain unconfined_t to kernel_load_modules unlabeled_t

    Allow access by executing:
    # setsebool -P domain_kernel_load_modules 1

Restoring Default SELinux Context:

If SELinux contexts are modified incorrectly, you can restore the default contexts using:

restorecon -R /path/to/directory

Conclusion:

SELinux is a powerful tool for enhancing the security of Linux systems. This tutorial covers the basics, but there’s much more to explore. Refer to the official SELinux documentation and resources for in-depth information and advanced configurations.