How to configure SELinux Policies

Estimated reading: 3 minutes 6 views

1. Introduction:

Security-Enhanced Linux (SELinux) is a powerful security module integrated into the Linux kernel. It enforces mandatory access control (MAC) policies, restricting unauthorized access to files, processes, and system resources. Unlike traditional discretionary access control (DAC), SELinux applies strict policy rules, regardless of user privileges.

SELinux operates in three distinct modes:

  1. Enforcing: Policies are actively applied, blocking unauthorized actions.
  2. Permissive: Policy violations are logged but not enforced.
  3. Disabled: SELinux is turned off completely.

2. Why Configure SELinux Policies?

By properly configuring SELinux policies, you can:

  1. Control how applications interact with system resources.
  2. Prevent unauthorized access to sensitive information.
  3. Monitor and log security violations.
  4. Strengthen system defenses against exploits and vulnerabilities.

3. Checking SELinux Status

To determine the current status of SELinux, run:

$ sestatus

This command displays whether SELinux is enabled and its current mode (Enforcing, Permissive, or Disabled).

4. Changing SELinux Modes

SELinux mode can be altered temporarily or permanently.

4.1 Temporary Change:

  1. Switch to permissive mode: 
    $ sudo setenforce 0
  2. Re-enable enforcing mode: 
    $ sudo setenforce 1

4.2 Permanent Change:

Edit the configuration file:

$ sudo nano /etc/selinux/config

Modify the SELINUX parameter to one of the following:

SELINUX=enforcing
SELINUX=permissive
SELINUX=disabled

Save the file and reboot for changes to take effect.

5. Understanding SELinux Contexts

SELinux assigns security contexts to files, processes, and network ports. A typical context consists of:

  1. User: SELinux user (e.g., system_u)
  2. Role: Assigned role (e.g., object_r)
  3. Type: Security type (e.g., httpd_sys_content_t)

5.1 Viewing File Contexts:

$ ls -Z /path/to/file

5.2 Changing File Contexts:

  1. Temporarily change file context: 
    $ sudo chcon -t httpd_sys_content_t /var/www/html/index.html
  2. Restore default context: 
    $ sudo restorecon -v /var/www/html/index.html

6. Working with SELinux Booleans

SELinux Booleans allow for flexible configuration without modifying core policies.

6.1 Viewing Available Booleans:

$ getsebool -a

6.2 Modifying Booleans:

  1. Temporarily enable CGI support for Apache: 
    $ sudo setsebool httpd_enable_cgi on
  2. Persist changes across reboots: 
    $ sudo setsebool -P httpd_enable_cgi on

7. Creating and Applying Custom SELinux Policies

To allow specific applications or services to function under SELinux, custom policies may be needed.

7.1 Generating Audit Logs:

$ sudo ausearch -m avc -ts recent

7.2 Creating a Policy Module:

$ sudo audit2allow -a -M my_policy

7.3 Installing the Policy Module:

$ sudo semodule -i my_policy.pp

8. Troubleshooting SELinux Issues

SELinux may block legitimate operations, requiring troubleshooting.

8.1 Checking Audit Logs:

$ sudo cat /var/log/audit/audit.log | grep denied

8.2 Using SELinux Alert Analyzer:

$ sudo sealert -a /var/log/audit/audit.log

8.3 Disabling SELinux for Debugging:

$ sudo setenforce 0

To restore enforcement:

$ sudo setenforce 1

Conclusion

SELinux is an essential security tool for Linux systems. By understanding how to configure policies, adjust contexts, manage Booleans, and troubleshoot issues, you can create a more secure and resilient environment. Regular auditing and best practices will help maximize the effectiveness of SELinux in protecting your system.

Share this Doc

How to configure SELinux Policies

Or copy link

CONTENTS

Powered By EazyDocs