What is SELinux?

SELinux stands for security enhancement to Linux. It is the firewall which provides more control over the applications and users can reach which resources in our server.

 

What is the mechanism of SElinux?

The SELinux Decision Making Process

When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server's matrix.

 

Refer to the following diagram:

 

selinux

 

Above thing is taken from : https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-selinux.html

 

How to check the status of SELinux?

Use sestatus command to check the status.

[root@sys2 ~]# sestatus
SELinux status              : enabled
SELinuxfs mount             : /selinux
Current mode                : enforcing
Mode from config file       : enforcing
Policy version              : 24
Policy from config file     : targeted

 

In the above output the status is enabled. There are three modes of status in SELinux. They are

  • Enforcing   ------In this mode any action that denies the SELinux policy would be denied
  • Permissive ------In this mode security violation would not be stopped.Selinux is turned on but not working.
  • Disabled    ------In this mode the SELinux is turned off

 

What is the configuration file for SELinux?

The configuration file for SELinux is ‘/etc/selinux/config ‘

We can change the mode of SELinux by editing this file.

[root@sys2 ~]# vim /etc/selinux/config
Before editing
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#    enforcing - SELinux security policy is enforced.
#    permissive - SELinux prints warnings instead of enforcing.
#    disabled - No SELinux policy is loaded.
SELINUX=enforcing ------I am going to edit this line
# SELINUXTYPE= can take one of these two values:
#    targeted - Targeted processes are protected,
#    mls - Multi Level Security protection.
SELINUXTYPE=targeted
After editing
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#    enforcing - SELinux security policy is enforced.
#    permissive - SELinux prints warnings instead of enforcing.
#    disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#    targeted - Targeted processes are protected,
#    mls - Multi Level Security protection.
SELINUXTYPE=targeted

 

Now check the ststus of the SELinux

[root@sys2 ~]# sestatus
SELinux status                : enabled
SELinuxfs mount               : /selinux
Current mode                  : enforcing-------Mode is not changed.
Mode from config file         : disabled
Policy version                : 24
Policy from config file       : targeted

 

Reboot the system to apply the edited mode to the system.

The command for rebooting is # reboot –f

After rebooting I am checking the status of SELinux.

[root@sys2 ~]# sestatus
SELinux status                : disabled

 

How to make mode to permissive?

To make the SELinux mode to permissive first check the mode of SELinux

[root@sys2 ~]# setenforce permissive
[root@sys2 ~]# getenforce
Permissive

 

Topics Summary