How to Secure Fedora Using SELinux

Edited 3 weeks ago by ExtremeHow Editorial Team

FedoraSecuritySELinuxOperating SystemFirewallConfigurationNetworkBeginnersAdvanced UsersComputers

Security-Enhanced Linux (SELinux) is a security architecture integrated into the Linux kernel that provides a versatile mandatory access control (MAC) mechanism. Fedora, being one of the most popular Linux distributions, leverages SELinux to enhance its security by controlling access to programs and files. In this detailed guide, we will explore how to secure Fedora systems using SELinux, how to manage its policies, how to handle common scenarios, and how to maximize its security benefits.

Understanding SELinux mode

SELinux operates in three different modes, each of which provides different levels of security. Let's examine them:

• Enforcement mode: In this mode, SELinux policies are enforced, and any unauthorized access attempts are blocked. This is the default mode in Fedora and provides the highest level of security.
• Permissive mode: When running in this mode, SELinux does not enforce policies, but logs actions that could have been denied. This is useful for debugging and developing SELinux policies without blocking operations.
• Disabled: In disabled mode, SELinux is turned off completely. This mode is not recommended for production systems.

Checking SELinux status

Before making any changes, it is important to check the current status of SELinux on your Fedora system. This can be done by using the following command in the terminal:

$ sestatus

This command will provide information about the current mode, policy version, and other details of the SELinux state. Understanding whether your system is in enforcing, permitting, or disabling mode will help you proceed further.

Switching SELinux modes

Switching between SELinux modes is straightforward, but requires administrative (root) privileges. To change modes, edit the file located at /etc/selinux/config and update SELINUX= line to enforcing, permissive, or disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy.
#     MLS - Multi Level Security protection.
SELINUXTYPE=targeted

After making the changes, reboot the system to apply them. You can also use setenforce command to temporarily switch between enforcing and permissive modes without rebooting:

# Set SELinux to enforcing mode
$ sudo setenforce 1
# Set SELinux to permissive mode
$ sudo setenforce 0

SELinux policy types

SELinux uses a set of policies to define access control. The two primary types of policies are targeted and multi-level security (MLS). Fedora typically uses targeted policy, which provides targeted security for key processes:

• Targeted policy: This policy applies to some critical services such as web servers or network services, but allows most processes to run in an unrestricted domain with standard Linux security.
• MLS Policy: This policy provides strict security by enforcing controls on all processes and files. Due to its complexity, it is not used in general-purpose environments.

Managing SELinux booleans

SELinux booleans are switches that enable or disable specific SELinux policy rules without modifying the policy itself. This allows greater flexibility through temporary adjustments. To list all available booleans, use the command:

$ semanage boolean -l

Each boolean has a description, a current value, and a default value. To change a boolean value, use the setsebool command:

# Enable a Boolean
$ sudo setsebool httpd_enable_homedirs on
# Disable a Boolean
$ sudo setsebool httpd_enable_homedirs off

To ensure that the changes are retained across reboots, add the -P option:

$ sudo setsebool -P httpd_enable_homedirs on

Context and labels in SELinux

Global security in SELinux revolves around contexts and labels. Files, directories, and processes in Fedora all have a unique context consisting of a user, role, type, and level. Understanding contexts and labeling them appropriately is critical to maintaining SELinux security. You can view the context of files using ls -Z command:

$ ls -Z /var/www/html

If you need to change the reference to a file, you would use the chcon command:

$ sudo chcon -t httpd_sys_content_t /var/www/html/index.html

It is important to note that manual changes to contexts with chcon can be reverted upon relabeling operations. To make permanent changes, you would use policies and semanage fcontext command.

SELinux troubleshooting

Working with SELinux can sometimes lead to permission errors. This is often a sign of policy rules being applied correctly, but can disrupt workflow if unexpected. Here's how you can troubleshoot SELinux permissions:

1. Check the logs: SELinux logs most access denials to /var/log/audit/audit.log. You can use ausearch to analyze:

$ ausearch -m avc -ts recent

2. Generate a report: Use the sealert command from the SELinux troubleshooter for detailed diagnostic information:

$ sudo sealert -a /var/log/audit/audit.log

3. Adjust the enforcing mode: To check if an application is experiencing problems due to SELinux, temporarily switch to permissive mode and monitor syslogs.

Creating custom SELinux policies

While Fedora's default policies cover many scenarios, advanced users can create custom SELinux policies to cover unique use cases. To do this, you'll write policy files (often ending in .te) and compile them using checkmodule and semodule_package tools:

# Write your policy in a .te file
module mycustom 1.0;
require {
    type user_home_t;
    type httpd_t;
    class file { read write };
}
# Allow the httpd process to read and write user home files
allow httpd_t user_home_t:file { read write };

Next, compile and install your custom module:

$ checkmodule -M -m -o mycustom.mod mycustom.te
$ semodule_package -o mycustom.pp -m mycustom.mod
$ semodule -i mycustom.pp

Restoring the default SELinux context

If the context of a file or directory is incorrect, this can cause access issues. You can use restorecon command to restore the default SELinux context:

$ sudo restorecon -Rv /path/to/directory

This command recursively resets the context to match the default policy for that path.

Conclusion

SELinux adds an essential security layer to any Fedora system. Whether you are an individual securing your home setup or an enterprise manager maintaining organization-wide security, understanding the capabilities of SELinux is of paramount importance. By familiarizing yourself with SELinux modes, policies, booleans, contexts, and policy creation, you can leverage this powerful security tool to ensure that your Fedora system remains robust against attacks and unauthorized access.

  Share This Article

If you find anything wrong with the article content, you can request an update