Wiki

User Tools

Site Tools

Trace: virtual_hosts file_handling harden_apache curl_to_facebook
help:selinux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
help:selinux [2016/07/14 15:00] peterhelp:selinux [2020/07/19 20:09] (current) – old revision restored (2016/07/11 11:59) 192.99.4.140
Line 1: Line 1:
 ====== SELinux ====== ====== SELinux ======
  
-Security-Enhanced Linux (SELinux) is a security enhancement to Linux which allows users and administrators more control over access levels.  Access can be constrained on such variables as which users and applications can access which resources.  Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.+Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection.  It can stop many attacks before your system rooted.
  
-SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, SELinux lets you specify who can unlink, append only, move a file and so on.  Additionally SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC). +SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.
- +
-SELinux enforces the idea that programs should be limited to what files they can access and what actions they can take.+
  
 SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs.  It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.  SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs.  It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model. 
Line 14: Line 12:
   * permissive – SELinux prints warnings instead of enforcing.   * permissive – SELinux prints warnings instead of enforcing.
   * disabled – SELinux is fully disabled.   * disabled – SELinux is fully disabled.
- 
-The type of policies that can be used for the SELinux include: 
- 
-  * targeted – This policy will protected only specific targeted network daemons (such as DNS, Apache and others). 
-  * mls - Multi Level Security (MLS) allows further categorization of data privilege levels, such as “confidential, secret” etc and would be applied to files on the filesystem, restricting users to only those articles they are entitled to interact with. 
-  * strict – This is for maximum SELinux protection. 
- 
-[[SELinix:Introduction to SELinux|Introduction to SELinux]] 
- 
  
 [[SELinux:Allow access to an HTTP network port|Allow access to an HTTP network port]] [[SELinux:Allow access to an HTTP network port|Allow access to an HTTP network port]]
  
 [[SELinux:Change the SELinux mode|Change the SELinux mode]] [[SELinux:Change the SELinux mode|Change the SELinux mode]]
- 
-[[SELinux:Check if SELinux is running|Check if SELinux is running]] 
  
 [[SELinux:Check that SELinux is not denying actions|Check that SELinux is not denying actions]] [[SELinux:Check that SELinux is not denying actions|Check that SELinux is not denying actions]]
Line 35: Line 22:
  
 [[SELinux:Check SELinux Status|Check SELinux Status]] [[SELinux:Check SELinux Status|Check SELinux Status]]
- 
-[[SELinux:Configuring SELinux to log warnings instead of block|Configuring SELinux to log warnings instead of block]] 
  
 [[SELinux:Confine users|Confine users]] [[SELinux:Confine users|Confine users]]
- 
-[[SELinux:Display SELinux Lables|Display SELinux Lables]] 
- 
-[[SELinux:Do Boolean Lockdown|Do Boolean Lockdown]] 
  
 [[SELinux:Find Unprotected Services|Find Unprotected Services]] [[SELinux:Find Unprotected Services|Find Unprotected Services]]
Line 49: Line 30:
  
 [[SELinux:Install SELinux|Install SELinux]] [[SELinux:Install SELinux|Install SELinux]]
- 
-[[SELinux:SELinux Policy Module|SELinux Policy Module]] 
  
 [[SELinux:Run SELinux in enforcing mode|Run SELinux in enforcing mode]] [[SELinux:Run SELinux in enforcing mode|Run SELinux in enforcing mode]]
  
 [[SELinux:Run SELinux in permissive mode|Run SELinux in permissive mode]] [[SELinux:Run SELinux in permissive mode|Run SELinux in permissive mode]]
- 
-[[SELinux:ShareWiz Default Policies|ShareWiz Default Policies]] 
  
 [[SELinux:Temporarily Switch Off SELinux Enforcement|Temporarily Switch Off SELinux Enforcement]] [[SELinux:Temporarily Switch Off SELinux Enforcement|Temporarily Switch Off SELinux Enforcement]]
Line 70: Line 47:
  
  
-References: 
  
-  * https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html 
  
  
  
 +
 +
 +===== See SELinux Labels =====
 +
 +Type the following command:
 +
 +<code bash>
 +ls -lZ /path/to/file
 +ls -lZd /path/to/dir
 +ls -lZd /etc
 +ls -lZ /dev/ | grep deviceName
 +ls -lZ /etc/resolv.conf
 +</code>
 +
 +Sample outputs:
 +
 +<code>
 +-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf
 +</code>
 +
 +
 +
 +
 +===== Do Boolean Lockdown =====
 +
 +Run the **getsebool -a** command and lockdown system:
 +
 +<code bash>
 +getsebool -a | less
 +getsebool -a | grep off
 +getsebool -a | grep on
 +</code>
 +
 +To secure the machine, look at settings which are set to ‘on’ and change to ‘off’ if they do not apply to your setup with the help of setsebool command.  Set correct SE Linux booleans to maintain functionality and protection.
 +
 +Please note that SELinux adds 2-8% overheads to a typical installation.
  
  
help/selinux.1468508418.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki