Introduction of Selinux in CentOS/RHEL

SELinux (Security Enhanced Linux) is an advanced access control mechanism built into most modern Linux distributions. Selinux is an augmentation to the Linux kernel which has been designed to authorize strict access controls that keep processes to the minimum amount of privilege that they require.

selinux

Installing SELinux Packages:

Selinux use number of packages in which few packages are installed by default. Use following command to check installed packages:

# rpm -qa | grep selinux
selinux-policy-3.7.19-260.el6_6.5.noarch
libselinux-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.5.noarch
libselinux-devel-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64

Installed remaining packages using following command:

# yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

SELinux Modes:

At any one time, SELinux can be in any of three possible modes:

  • Enforcing
  • Permissive
  • Disabled
  • If SELinux mode is set to Permissive or Disabled, it won’t block access to the services in any way. Then again, if SELinux is in Enforcing mode, there are a couple SELinux issues that could cause about your server to not behave as you would like. Use following command to check the mode of Selinux:

    # getenforce
    Or
    # grep ^SELINUX= /etc/sysconfig/selinux
    

    We can also run the following command to check the status of selinux:

    # sestatus
    

    Change Selinux Modes:

    By default Selinux mode is enforcing, If we want to change the mode, then access selinux configuration file and change the mode.

    # vim /etc/selinux/config
    Or
    # vim /etc/sysconfig/selinux
    
    Old value:
    SELINUX=enforcing
    New value:
    SELINUX=premissive
    Or
    SELINUX=Disabled
    

    After change the mode need to reboot the system:

    # reboot
    

    SELinux Modules:

    At the point when an SELinux-empowered system begins, the policy is loaded into memory. The format of SELinux policy is modular, much like the kernel modules at boot time. Also, much the same as the kernel modules, they can be progressively added and removed from memory at run time. The policy store used by SELinux stays informed regarding the modules that have been loaded. Run the following command to check the Selinux policy moduels loaded into memory:

    # semodule -l
    
    abrt    1.2.0
    accountsd       1.0.0
    ada     1.4.0
    afs     1.5.3
    aiccu   1.0.0
    aide    1.5.0
    amanda  1.12.0
    amtu    1.2.0
    antivirus       1.0.0
    apache  2.1.2
    apcupsd 1.6.1
    arpwatch        1.8.1
    asterisk        1.7.1
    audioentropy    1.6.0
    automount       1.12.1
    avahi   1.11.2
    ...
    ...
    

    At this point you would most likely be interested to know where the module records are found. Mostly modules file is in binary versions. The policy files have a .pp extension. Run following command to check the modules file:

    # ls -l /etc/selinux/targeted/modules/active/modules/
    

    Check Selinux Boolean:

    As we can’t read the policy module files, there’s a simple way to tweak their settings. That’s done through SELinux booleans. Run the following command to check the Selinux Boolean:

    # semanage boolean -l
    
    SELinux boolean                State  Default Description
    
    ftp_home_dir                   (off  ,  off)  Allow ftp to home dir
    smartmon_3ware                 (off  ,  off)  Allow smartmon to 3ware
    mpd_enable_homedirs            (off  ,  off)  Allow mpd to enable homedirs
    xdm_sysadm_login               (off  ,  off)  Allow xdm to sysadm login
    xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
    mozilla_read_content           (off  ,  off)  Allow mozilla to read content
    ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
    mount_anyfile                  (on   ,   on)  Allow mount to anyfile
    cron_userdomain_transition     (on   ,   on)  Allow cron to userdomain transition
    icecast_use_any_tcp_ports      (off  ,  off)  Allow icecast to use any tcp ports
    openvpn_can_network_connect    (off  ,   on)  Allow openvpn to can network connect
    zoneminder_anon_write          (off  ,  off)  Allow zoneminder to anon write
    ...
    ...
    

    Change the boolean setting:

    We can see the first option allows the FTP daemon to access users’ home directories. Before changing the value, first we will check the boolean value, use following command to check the value:

    # getsebool ftp_home_dir
    

    Output

    ftp_home_dir --> off
    

    Change the boolean value using following command:

    # setsebool -P ftp_home_dir=on
    

    Note: If you will not use -P switch, then the boolean value does not change permanently.

    Enjoy it!

    No Responses

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    The reCAPTCHA verification period has expired. Please reload the page.