How to Configure SELinux on Linux

Edited 3 weeks ago by ExtremeHow Editorial Team

SecuritySELinuxConfigurationPoliciesCommand LineEnforcementSysAdminMonitoringBest PracticesAccess Control

Introduction

SELinux, which stands for Security-Enhanced Linux, is a security architecture integrated into the kernel that provides a mechanism to support access control security policies. Its goal is to enforce operating system policies that limit program capabilities and protect the system from potential vulnerabilities. Configuring SELinux on your Linux-based system can help you achieve a more secure environment. This comprehensive guide explains how to configure SELinux on a Linux machine step-by-step.

Understanding SELinux mode

Before configuring SELinux, it is important to understand the modes in which SELinux can operate. These modes determine how SELinux manages access control in your operating system.

• Enforcing: This mode is the most secure. In enforcing mode, SELinux enforces its configured policy rules to ensure proper access and prevent unauthorized access.
• Permissive: In this mode, SELinux does not enforce policies, but it logs all actions that would have been denied if it were in enforceable mode. This allows administrators to test and troubleshoot SELinux policies without actually restricting access.
• Disabled: SELinux is completely turned off, and no security policies are enforced. This is not recommended for production environments.

Checking the current SELinux status

To configure SELinux effectively, you need to check its current state. This will help you understand whether SELinux is active or not and what mode it is currently using.

Open a terminal window and enter the following command to check the status:

getenforce

You can also use the following command for more detailed information:

sestatus

This command will show you the current status as Enforcing , Permissive , or Disabled.

Changing the SELinux mode

You can change the SELinux mode temporarily or permanently. It is often useful to change the mode temporarily for testing or troubleshooting, but permanent changes are necessary to make the configuration permanent after a reboot.

Changing the SELinux mode temporarily

To temporarily change the mode without rebooting the system, you can use setenforce command. For example, to switch to enforcing mode, run:

sudo setenforce 1

To switch to permissive mode, execute:

sudo setenforce 0

Changing the SELinux mode permanently

To make the change permanent, update the SELinux configuration file located at /etc/selinux/config. Open this file using a text editor:

sudo nano /etc/selinux/config

Look for the line that begins with SELINUX= and change its value to enforcing, permissive, or disabled depending on your needs. For example:

SELINUX=enforcing

Save and close the file, then reboot your system to make the changes effective.

Understanding SELinux policy types

SELinux policies define the security rules enforced by SELinux. These policies control the permissions granted to various users and services on the system. The most commonly used policies are:

• Targeted: Only targeted system processes are protected, making it suitable for most cases.
• MLS (Multi-Level Security): Provides more complex security policies used in highly secure environments, such as government systems.

To find out the policy currently in use, execute the following command in the terminal:

sestatus | grep "Loaded policy name"

Installing and managing SELinux packages

To effectively manage SELinux, you may need to install related tools and packages, which vary depending on the distribution. Below are some common packages that may be helpful.

• policycoreutils: Contains command-line utilities required for SELinux.
• setools: Provides tools for analyzing and managing SELinux policies.
• selinux-policy: Core policy package containing predefined SELinux policies.

For Debian/Ubuntu-based distributions

Use apt package manager to install the SELinux tools:

sudo apt update sudo apt install policycoreutils selinux-utils setools

For RHEL/CentOS-based distributions

Use yum or dnf package manager to install the SELinux tools:

sudo yum install policycoreutils selinux-policy setools

Managing SELinux policies

Understanding how to enable or disable SELinux policies for specific services can be important to achieve the level of security you require without disrupting the intended functionalities of the services. SELinux uses booleans to toggle policies for specific functionalities.

To list the available SELinux booleans, run the following command:

getsebool -a

Configuring SELinux booleans

To change the boolean value temporarily (until the next reboot):

sudo setsebool httpd_enable_homedirs on

To permanently change the boolean value use the -P option, which writes the change to disk:

sudo setsebool -P httpd_enable_homedirs on

Labeling files with SELinux contexts

SELinux uses contexts (also called labels) to determine permissions on files and processes. Sometimes, you need to set or change these contexts manually. You can view the context of a file with the ls -Z command:

ls -Z /var/www/html

If you need to change the context of a file, use chcon command. For example, to change the file to the appropriate context for the web server:

sudo chcon -t httpd_sys_content_t /var/www/html/index.html

Restoring SELinux contexts

If a file has the wrong SELinux context, you can restore it to its default context using restorecon command:

sudo restorecon -Rv /var/www/html

This command will recursively restore the correct SELinux context for the specified directory.

SELinux troubleshooting

When SELinux is in enforcing mode, it can sometimes block legitimate actions, especially when custom applications are installed. Troubleshooting SELinux requires analyzing logs and understanding why something is denied.

Checking SELinux logs

SELinux messages are logged to /var/log/audit/audit.log or, on some systems, /var/log/messages. To view the log, use a text editor or tail command:

sudo tail -n 50 /var/log/audit/audit.log

Analysis of blocked actions

Logs can be complex and large, so specialized tools like audit2allow can help make sense of them. This tool converts log entries into human-readable formats and even suggests the necessary policies to allow unapproved actions.

grep AVC /var/log/audit/audit.log | audit2allow -m custompolicy

The above command can help you create a SELinux module that can allow a particular action. Be careful while allowing actions as this can reduce the overall security of your system.

Conclusion

Configuring SELinux in Linux involves understanding the different modes, checking the state, changing modes, working with policies and booleans, labeling files, and restoring contexts. SELinux is a powerful system that significantly enhances the security of your Linux environment by enforcing strict access controls. Properly configured, it can defend against threats seeking unauthorized access or disruption.

Make sure you constantly monitor logs and maintain an updated policy to adapt to newly installed software and changing system requirements. SELinux may seem complicated initially, but as you become familiar with its features, it becomes an indispensable tool for enhancing Linux security.

  Share This Article

If you find anything wrong with the article content, you can request an update