Understanding SELinux or Security Enhanced Linux | Tips & Tricks
SELinux refers to the security policy or security module that is integrated in Linux Kernel 2.6.*. SELinux offers US Department of Defence style mandatory access control and is much secure than PAM. It was introduced by Red Hat with version 4 and is generally available with Red Hat based distributions. Further it became available with certain Debian and Ubuntu distros too.
Security Enhanced Linux defines the access rights of every user, application, process and file present in the system. It then monitor the activity that requires access to certain files/directory, it may be a user or an applications request to access those. The request is sent to the security server in the kernel, where it checks for the security context of the request source and the requested data. If the context are compatible, the permission is granted. If it is denied, then a message is issued in /var/log/message with avc: denied. In modern systems, however, a graphical notification pops up displaying the detailed report of all the players in the process along with the commands to deal with the permissions.
SELinux works in three operating modes:
1. Enforcing: Security Enhanced Linux policies are enforced, i.e. strict denial as soon as the contexts mismatch without the consent of the user.
2. Permissive: Security Enhanced Linux issues warning messages but the policy is not enforced. Here, the user makes the decision to grant/deny the permission.
3. Disabled: This disable the Security Enhanced Linux policy entirely.
Checking SELinux Status
To check the current SELinux status, open the terminal and type the follwing:
[[email protected]:~]$ getenforce
For more detailed status:
[[email protected]:~]$ sestatus
Following image shows the output from both the commands:
Enabling SELinux
There are two ways in which setting are enabled in Linux system :Temporary and Persistent .
Temporary way:
Open the terminal and type the following:
[[email protected]:~]$ setenforce 1
Persistent way:
We need to make entry in the SELinux file present in the system, which is the primary configuration file for SELinux. We can make entry in either “/etc/sysconfig/selinux” or “/etc/selinux/config” file, by editing SELINUX = ENFORCING. Open the terminal and type the following:
[[email protected]:~]$ sudo vim /etc/sysconfig/selinux
This will open the selinux config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=ENFORCING
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
Following image shows the config file, here, changes are made in line no. 7.
Disabling SELinux
Temporary way:
Open the terminal and type the following:
[[email protected]:~]$ setenforce 0
Persistent way:
Editing the “/etc/sysconfig/selinux” or “/etc/selinux/config” file, by changing SELINUX = DISABLED. Open the terminal and type the following:
[[email protected]:~]$ sudo vim /etc/sysconfig/selinux
This will open the selinux config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX= DISABLED
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
Following image shows the config file, here, changes are made in line no. 7.
The similar approach can be applied for activating permissive mode too.
Security Enhanced Linux provide variety of features, that include individual policy assigning and advanced secure environment. Keep in check with us to follow comparison among SELinux, PAM and APPArmor.