This is an old revision of the document!
Table of Contents
SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection. It can stop many attacks before your system rooted.
SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.
SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model. SELinux can be any one of the following state:
- enforcing – SELinux security policy is enforced.
- permissive – SELinux prints warnings instead of enforcing.
- disabled – SELinux is fully disabled.
Make sure SELinux did not deny actions
Type the following command to confirm that SELinux did not deny actions during the reboot:
grep "SELinux is preventing" /var/log/messages
If you get any output/error, try using the chcon command. It can be used to change SELinux security context of a file. However, it is recommended that you relabel the complete filesystem. Type the following command to restore default security contexts for /home:
restorecon -Rv -n /home
You can run this on root (/) file system too:
restorecon -Rv -n /
Do not skip this step. Type the following commands:
# touch /.autorelabel # reboot
It will take some time to relabel the complete filesystem. If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode):
# init 1 # genhomedircon # touch /.autorelabel # reboot
Set SELINUX to enforcing mode
Edit /etc/selinux/config, enter:
vi /etc/selinux/config
Update the configuration file as follows:
- /etc/selinux/config
SELINUX=enforcing SELINUXTYPE=targeted
Understanding SELinux Configuration
- SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux. It will also deny unauthorized access and log actions in a log file.
- SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected.
Save and close the file. Make sure SELinux is not disabled using Grub boot loader. Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears:
egrep -i 'selinux=0|enforcing=0' /boot/grub/grub.conf
If you found lines with selinux=0 or enforcing=0, remove them and save the changes.
Reboot the server:
reboot
Make Sure SELinux is Properly Enabled
Type the following command:
sestatus
Sample outputs:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Print Full List Of Allowed Network Ports
Type the following commands:
semanage port -l semanage port -l | less #### look for port 80 #### semanage port -l | grep -w 80
Allow Lighttpd / Apache / Nginx At Port 8181
By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:
semanage port -a -t http_port_t -p tcp 8181
Find Unprotected Services
Type the following command:
ps -eZ | egrep "initrc" | egrep -vw "ps|tr|egrep|awk|bash" | tr ':' ' ' | awk '{ print $NF }'
You should not see any output on fully configured SELinux systems.
See SELinux Labels
Type the following command:
ls -lZ /path/to/file ls -lZd /path/to/dir ls -lZd /etc ls -lZ /dev/ | grep deviceName ls -lZ /etc/resolv.conf
Sample outputs:
-rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf
Troubleshooting SELinux Policy Errors
SELinux is pretty complicated kernel software. It takes time to fix errors. Use the following tools to find and debug SELinux policy problems (refer to your local man pages):
- ps -Z -p PID
- ls -Z fileName
- ausearch
- restorecon
- semodule
- audit2allow
- Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log
Recommended readings:
- Introduction to the Red Hat SELinux Guide [https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html]
Do Boolean Lockdown
Run the getsebool -a command and lockdown system:
getsebool -a | less getsebool -a | grep off getsebool -a | grep on
To secure the machine, look at settings which are set to ‘on’ and change to ‘off’ if they do not apply to your setup with the help of setsebool command. Set correct SE Linux booleans to maintain functionality and protection.
Please note that SELinux adds 2-8% overheads to a typical installation.
Temporarily Switch Off SELinux Enforcement
Type the following command as root user:
echo 0 >/selinux/enforce
Type the following command to see current status, enter:
sestatus
Sample outputs:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Temporarily switch on SELinux enforcement
Type the following command as root user:
echo 1 >/selinux/enforce
Type the following command to see current status, enter:
sestatus
Sample outputs:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Turn off SELinux
Type the following command:
echo 0 >/selinux/enforce
You can also use the setenforce command to effectively disable it, enter:
setenforce Permissive
OR
setenforce 0
The above commands will switch off SELinux enforcement temporarily until the machine is rebooted. If you would like to make it permanently, edit /etc/sysconfig/selinux, enter:
vi /etc/sysconfig/selinux
And set / update it as follows:
- /etc/sysconfig/selinux
SELINUX=disabled
Save and close the file. The above will only work in CentOS, Fedora and RedHat Enterprise Linux systems. For all other Linux distros edit your boot loader config file (LILO or GRUB boot loader config file such as /boot/grub/grub.conf). Find the kernel line, append enforcing=0 at the end:
title Red Hat Enterprise Linux Server (2.6.18-194.26.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 enforcing=0
initrd /initrd-2.6.18-194.26.1.el5.img
Finally, reboot the system:
reboot