Mastering SELinux: A Beginner's Guide to Enhancing Security for Linux Systems

Mastering SELinux: A Beginner's Guide to Enhancing Security for Linux Systems

Photo by FLY:D on Unsplash

Introduction

i. Security framework.

ii. An additional layer of protection for Linux systems.

iii. Uses a mandatory access control mechanism, which means that access decisions are based on a defined security policy. This policy dictates what actions are allowed or denied for each process and file on the system.

iv. Offers granular control over access permissions. It assigns labels to processes and files, creating a security context. These labels define the level of access each entity has and restrict unauthorized actions.

v. uses role-based access control (RBAC). vi. SELinux is not optional; it is an integral part of some Linux distributions. Disabling it can significantly reduce the system's security posture.

Common Commands

  1. The command “getenforce

    • Syntax:

    getenforce

    • The command is run in the terminal without any additional arguments.

    Key points about the getenforce command:

    • Current Mode: getenforce displays the current enforcement mode of SELinux on your system.

    • Modes: SELinux can operate in three modes: Enforcing, Permissive, and Disabled.

    • Enforcing Mode: In this mode, SELinux actively enforces security policies and denies any actions that violate those policies.

    • Permissive Mode: In this mode, SELinux doesn't block actions but generates log entries for policy violations. It serves as a troubleshooting aid.

    • Disabled Mode: When SELinux is disabled, it doesn't enforce any policies, allowing all actions without restrictions.

    • System Status: By checking the SELinux mode with getenforce, you can determine if SELinux is active and whether it is enforcing or operating in a more permissive mode.

    • Troubleshooting: The command is often used when diagnosing issues related to SELinux, as it provides information on the current mode, which can help identify if SELinux is causing problems.

  2. The command “setenforce

    i. It is used to set the enforcement mode of SELinux (Security-Enhanced Linux) on a system.

    ii. This is temporary, to make it permanent you need to make configuration file changes.

    iii. Syntax:

    • To enable SELinux enforcement: setenforce 1 or setenforce Enforcing

    • To disable SELinux enforcement: setenforce 0 or setenforce Permissive

  3. The command “sestatus

    i. used to check the status of SELinux.

    ii. Syntax:

    sestatus

    iii. The "sestatus" command displays the following information:

    • SELinux status: Enforcing, Permissive, or Disabled.

    • SELinux policy: The policy in use, such as targeted or MLS (Multi-Level Security).

    • Loaded policy name: The specific policy module loaded into the kernel.

    • Current mode: The current operating mode of SELinux, either enforcing or permissive.

    • Mode from config file: The default mode specified in the configuration file.

    • Policy version: The version of the SELinux policy in use.

    • Policy from config file: The default policy specified in the configuration file.

    • SELinux enabled: Indicates whether SELinux is enabled or disabled.

    • SELinux enforced: Indicates whether SELinux is enforced or running in permissive mode.

  4. The command “semanage”

    i. used to manage SELinux policy configuration.

    ii. Syntax:

    semanage [arguments]

    iii. File Contexts:

    fcontext subcommand: Manages file contexts, which define SELinux labels for files and directories.

    • Example:

    semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'

    iv. Ports:

    • port subcommand: Manages SELinux port definitions for network services.

    • Example:

    semanage port -a -t http_port_t -p tcp 8080