Basics of SElinux
What is SELinux?
SELinux is a set of security policies/modules which are going to apply on the machine to improve the overall security of the machine. These are the Linux security modules(LSM) which are loaded in to kernel to improve security on accessing services/files which improve security. SELinux is short form of Security Enhanced Linux. SElinux is a security feature which was shipped with RHEL5, it is much secure than any other security such as PAM and Initd. Apparmor is some times consider as eloquent to SELinux. Below is the security model in Linux.
Setting of SELinux
SELinux is set in three modes.
- Enforcing – SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly
- Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached
- Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.
And SELinux is set in two levels
- Targeted – Targeted processes are protected,
- Mls – Multi Level Security protection.
Get SELinux Status
Example1:Is SELinux enabled or not on your box? use below command to get the status.
#getenforce
The output will be either “Enabled” or “Disabled”
Example2: To see SELinux status in simplified way you can use sestatus
#sestatus
Sample output:
SElinux status : enabled
SELinux mount : /selinux
Current mode : enforcing
Mode from config file : enforcing
Policy version : 21
Policy from config file : targeted
From the above output we can see that SElinux is enabled and it is in enforced mode.
and to see detailed status you can use -b option, this will give on which services SElinux is enabled and which services are disabled.
Example3:To get elobrated info on difference status of SELinux on different services use -b option along sestatus
#sestatus -b
Sample output:
[root@centos1 ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Policy booleans:
abrt_anon_write off
allow_console_login on
allow_corosync_rw_tmpfs off
allow_cvs_read_shadow off
allow_daemons_dump_core on
allow_daemons_use_tty on
allow_domain_fd_use on
allow_execheap off
allow_execmem on
allow_execmod on
allow_execstack on
allow_ftpd_anon_write off
==Cliped the output here==
Disabling SELinux
Example4:How to disable SElinux
We can do it in two ways
1)Permanent way : edit /etc/selinux/config
change the status of SELINUX from enforcing to disabled
SELINUX=enforcing
to
SELINUX=disabled
Save the file and exit.
2)Temporary way : Execute below command
echo 0 > /selinux/enforce
or
setenforce 0
Enabling SELinux
Example5:How about enabling SELinux
1)Permanent way : edit /etc/selinux/config
change the status of SELINUX from disabled to enforcing
SELINUX=disabled
to
SELINUX=enforcing
Save the file and exit.
2)Temporary way : Execute below command
echo 1 > /selinux/enforce
or
setenforce 1
Comment your thoughts on SELinux.
Latest posts by Surendra Anne (see all)
- Docker: How to copy files to/from docker container - June 30, 2020
- Anisble: ERROR! unexpected parameter type in action:
Fix - June 29, 2020 - FREE: JOIN OUR DEVOPS TELEGRAM GROUPS - August 2, 2019
- Review: Whizlabs Practice Tests for AWS Certified Solutions Architect Professional (CSAP) - August 27, 2018
- How to use ohai/chef-shell to get node attributes - July 19, 2018