SELinux

SELinux is a security mechanism built into the Linux kernel. Linux distributions such as CentOS, RHEL, and Fedora are equipped with SELinux by default.

SELinux improves server security by restricting and defining how a server processes requests and users interact with sockets, network ports, and essential directories.

SELinux Modes

SELinux has 3 modes.

  • Enforcing mode: This is the default mode. It blocks and logs actions that are against defined policy.
  • Permissive mode: Allows actions to take place and logs the events in detail. This mode is useful when testing SELinux features. Changing modes between enforcing and permissive does not require a system reboot.
  • Disabled mode: Allows for all actions and does not log any activity. Changing to this mode requires a system reboot for it to apply.

 

Check Status of SELinux

Sestatus

[syed@rserver8 ~]$ sestatus

[syed@rserver8 ~]$ sudo sestatus

SELinux If Disabled

sudo nano /etc/selinux/config

[syed@rserver8 ~]$ cat /etc/selinux/config

Enable

In enforcing mode SELinux will enforce its policy on the Linux system and ensure to deny all unauthorized access attempts by users and processes. Moreover, these access denials are written to relevant log files.

Permissive mode is like a semi-enabled state. SELinux does not apply its policy in permissive mode, so it will not deny any access. However, any policy violation is still logged in the audit logs. It is a great way to test SELinux before enforcing it.

[syed@rserver8 ~]$ getenforce

To reboot enter:

sudo reboot

To check the status of SELinux by entering sestatus in the command line once again

To change the mode from enforcing to permissive type:

sudo setenforce 0
or
sudo setenforce Permissive

To turn the enforcing mode back on, enter:

sudo setenforce 1
or 
sudo setenforce Enforcing

These changes only apply to the current session. They turn back to default after a reboot. To make the changes permanent, edit the configuration file using a text editor, as discribed above.

Disabled

Open the /etc/selinux/config file and set the SELINUX mod to disabled

/etc/selinux/config

[syed@rserver8 ~]$ sudo  vi /etc/selinux/config

[syed@rserver8 ~]$ sestatus

[syed@rserver8 ~]$ sudo sestatus

Allow new SSH port on SELinux

semanage port -a -t ssh_port_t -p tcp 2023

semanage port -m -t ssh_port_t -p tcp 2023

Leave a Reply

Your email address will not be published. Required fields are marked *