Introduction of Selinux in CentOS/RHEL
SELinux (Security Enhanced Linux) is an advanced access control mechanism built into most modern Linux distributions. Selinux is an augmentation to the Linux kernel which has been designed to authorize strict access controls that keep processes to the minimum amount of privilege that they require.
Installing SELinux Packages:
Selinux use number of packages in which few packages are installed by default. Use following command to check installed packages:
# rpm -qa | grep selinux
selinux-policy-3.7.19-260.el6_6.5.noarch libselinux-2.0.94-5.8.el6.x86_64 selinux-policy-targeted-3.7.19-260.el6_6.5.noarch libselinux-devel-2.0.94-5.8.el6.x86_64 libselinux-utils-2.0.94-5.8.el6.x86_64
Installed remaining packages using following command:
# yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
At any one time, SELinux can be in any of three possible modes:
If SELinux mode is set to Permissive or Disabled, it won’t block access to the services in any way. Then again, if SELinux is in Enforcing mode, there are a couple SELinux issues that could cause about your server to not behave as you would like. Use following command to check the mode of Selinux:
# getenforce Or # grep ^SELINUX= /etc/sysconfig/selinux
We can also run the following command to check the status of selinux:
Change Selinux Modes:
By default Selinux mode is enforcing, If we want to change the mode, then access selinux configuration file and change the mode.
# vim /etc/selinux/config Or # vim /etc/sysconfig/selinux
Old value: SELINUX=enforcing New value: SELINUX=premissive Or SELINUX=Disabled
After change the mode need to reboot the system:
At the point when an SELinux-empowered system begins, the policy is loaded into memory. The format of SELinux policy is modular, much like the kernel modules at boot time. Also, much the same as the kernel modules, they can be progressively added and removed from memory at run time. The policy store used by SELinux stays informed regarding the modules that have been loaded. Run the following command to check the Selinux policy moduels loaded into memory:
# semodule -l
abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 aide 1.5.0 amanda 1.12.0 amtu 1.2.0 antivirus 1.0.0 apache 2.1.2 apcupsd 1.6.1 arpwatch 1.8.1 asterisk 1.7.1 audioentropy 1.6.0 automount 1.12.1 avahi 1.11.2 ... ...
At this point you would most likely be interested to know where the module records are found. Mostly modules file is in binary versions. The policy files have a .pp extension. Run following command to check the modules file:
# ls -l /etc/selinux/targeted/modules/active/modules/
Check Selinux Boolean:
As we can’t read the policy module files, there’s a simple way to tweak their settings. That’s done through SELinux booleans. Run the following command to check the Selinux Boolean:
# semanage boolean -l
SELinux boolean State Default Description ftp_home_dir (off , off) Allow ftp to home dir smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs xdm_sysadm_login (off , off) Allow xdm to sysadm login xen_use_nfs (off , off) Allow xen to use nfs mozilla_read_content (off , off) Allow mozilla to read content ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs mount_anyfile (on , on) Allow mount to anyfile cron_userdomain_transition (on , on) Allow cron to userdomain transition icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports openvpn_can_network_connect (off , on) Allow openvpn to can network connect zoneminder_anon_write (off , off) Allow zoneminder to anon write ... ...
Change the boolean setting:
We can see the first option allows the FTP daemon to access users’ home directories. Before changing the value, first we will check the boolean value, use following command to check the value:
# getsebool ftp_home_dir
ftp_home_dir --> off
Change the boolean value using following command:
# setsebool -P ftp_home_dir=on
Note: If you will not use -P switch, then the boolean value does not change permanently.