====== SELinux ======

Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection.  It can stop many attacks before your system rooted.

SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.

SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs.  It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model. 

SELinux can be any one of the following state:

  * enforcing – SELinux security policy is enforced.
  * permissive – SELinux prints warnings instead of enforcing.
  * disabled – SELinux is fully disabled.

[[SELinux:Allow access to an HTTP network port|Allow access to an HTTP network port]]

[[SELinux:Change the SELinux mode|Change the SELinux mode]]

[[SELinux:Check that SELinux is not denying actions|Check that SELinux is not denying actions]]

[[SELinux:Check that SELinux is Properly Enabled|Check that SELinux is Properly Enabled]]

[[SELinux:Check SELinux Status|Check SELinux Status]]

[[SELinux:Confine users|Confine users]]

[[SELinux:Find Unprotected Services|Find Unprotected Services]]

[[SELinux:Get List Of Allowed Network Ports|Get List Of Allowed Network Ports]]

[[SELinux:Install SELinux|Install SELinux]]

[[SELinux:Run SELinux in enforcing mode|Run SELinux in enforcing mode]]

[[SELinux:Run SELinux in permissive mode|Run SELinux in permissive mode]]

[[SELinux:Temporarily Switch Off SELinux Enforcement|Temporarily Switch Off SELinux Enforcement]]

[[SELinux:Temporarily Switch On SELinux Enforcement|Temporarily Switch On SELinux Enforcement]]

[[SELinux:Troubleshooting SELinux Policy Errors|Troubleshooting SELinux Policy Errors]]

[[SELinux:Turn off SELinux|Turn off SELinux]]

[[SELinux:Understanding SELinux Configuration|Understanding SELinux Configuration]]









===== See SELinux Labels =====

Type the following command:

<code bash>
ls -lZ /path/to/file
ls -lZd /path/to/dir
ls -lZd /etc
ls -lZ /dev/ | grep deviceName
ls -lZ /etc/resolv.conf
</code>

Sample outputs:

<code>
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf
</code>




===== Do Boolean Lockdown =====

Run the **getsebool -a** command and lockdown system:

<code bash>
getsebool -a | less
getsebool -a | grep off
getsebool -a | grep on
</code>

To secure the machine, look at settings which are set to ‘on’ and change to ‘off’ if they do not apply to your setup with the help of setsebool command.  Set correct SE Linux booleans to maintain functionality and protection.

Please note that SELinux adds 2-8% overheads to a typical installation.