Overview on SELinux Configuration Guide

SELinux, or Security-Enhanced Linux, is a security architecture integrated into the Linux kernel. It provides a flexible Mandatory Access Control (MAC) system that can be used to control the access of processes and users to system resources. In this SELinux Configuration Guide, I’ll cover the basics of SELinux, including how to check its status, manage policies, and troubleshoot common issues.

• SELinux Project Wiki
• More on Basic Security

1. Checking SELinux Status:

To check if SELinux is enabled or disabled on your system, you can use the sestatus command:

sestatus

Example output:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      34

2. Understanding SELinux Modes:

SELinux operates in three modes: Enforcing, Permissive, and Disabled.

# Set SELinux to Enforcing mode
sudo setenforce 1

# Set SELinux to Permissive mode
sudo setenforce 0

# Disable SELinux (requires a reboot)
sudo nano /etc/selinux/config
# Change SELINUX=enforcing to SELINUX=disabled
# Reboot the system

3. SELinux Policies:

To view information about the active policy:

sestatus -v

Example output:

Loaded policy name:             targeted

4. Working with SELinux Labels:

SELinux uses labels to determine access control for processes and files. Labels are associated with files, processes, and network ports. Use the ls command with the -Z option to display SELinux context:

ls -Z /etc/passwd

Example output:

-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

5. Managing SELinux Policies:

Installing and Updating Policies:

To install or update SELinux policy packages:

sudo yum install selinux-policy
sudo semodule -i mymodule.pp

Reloading Policies:

After making changes to policies, you can reload them without rebooting:

sudo semodule -r mymodule

6. Troubleshooting SELinux:

Reviewing SELinux Logs:

SELinux violations are logged in the audit log. You can use the ausearch and audit2why commands to review logs:

ausearch -m AVC -ts recent

Example output:

time->Thu Jan 27 15:30:00 2023
type=AVC msg=audit(1643316600.123:456): avc:  denied  { read } for  pid=1234 comm="example" name="example.txt" dev="sda1" ino=5678 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file

audit2why < /var/log/audit/audit.log

Example output:

type=AVC msg=audit(1643316600.123:456): avc:  denied  { read } for  pid=1234 comm="example" name="example.txt" dev="sda1" ino=5678 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file

    Was caused by:
    The boolean domain_kernel_load_modules was set incorrectly.
    Description:
    Allow domain unconfined_t to kernel_load_modules unlabeled_t

    Allow access by executing:
    # setsebool -P domain_kernel_load_modules 1

Restoring Default SELinux Context:

If SELinux contexts are modified incorrectly, you can restore the default contexts using:

restorecon -R /path/to/directory

Conclusion on SELinux Configuration Guide

Configuring SELinux is a crucial step in enhancing the security of Linux systems. By enforcing mandatory access controls, SELinux minimizes the risk of unauthorized access and protects sensitive data from potential threats. Whether used in enforcing, permissive, or disabled mode, SELinux provides robust security tailored to your environment’s needs. It is essential to understand the policies and configurations to fully leverage its capabilities. Regular audits and policy updates ensure continued protection against emerging threats. Embrace SELinux to secure your infrastructure proactively.