Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection. It can stop many attacks before your system rooted.

SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.

SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.

SELinux can be any one of the following state:

• enforcing – SELinux security policy is enforced.
• permissive – SELinux prints warnings instead of enforcing.
• disabled – SELinux is fully disabled.

Change the SELinux mode

Check that SELinux is not denying actions

Check that SELinux is Properly Enabled

Check SELinux Status

Find Unprotected Services

Get List Of Allowed Network Ports

Install SELinux

Run SELinux in enforcing mode

Run SELinux in permissive mode

Temporarily Switch Off SELinux Enforcement

Troubleshooting SELinux Policy Errors

Understanding SELinux Configuration

By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:

semanage port -a -t http_port_t -p tcp 8181

Type the following command:

ls -lZ /path/to/file
ls -lZd /path/to/dir
ls -lZd /etc
ls -lZ /dev/ | grep deviceName
ls -lZ /etc/resolv.conf

Sample outputs:

-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf

Run the getsebool -a command and lockdown system:

getsebool -a | less
getsebool -a | grep off
getsebool -a | grep on

To secure the machine, look at settings which are set to ‘on’ and change to ‘off’ if they do not apply to your setup with the help of setsebool command. Set correct SE Linux booleans to maintain functionality and protection.

Please note that SELinux adds 2-8% overheads to a typical installation.

Type the following command as root user:

echo 1 >/selinux/enforce

Type the following command to see current status, enter:

sestatus

Sample outputs:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Type the following command:

echo 0 >/selinux/enforce

You can also use the setenforce command to effectively disable it, enter:

setenforce Permissive

OR

setenforce 0

The above commands will switch off SELinux enforcement temporarily until the machine is rebooted. If you would like to make it permanently, edit /etc/sysconfig/selinux, enter:

vi /etc/sysconfig/selinux

And set / update it as follows:

/etc/sysconfig/selinux

SELINUX=disabled

Save and close the file. The above will only work in CentOS, Fedora and RedHat Enterprise Linux systems. For all other Linux distros edit your boot loader config file (LILO or GRUB boot loader config file such as /boot/grub/grub.conf). Find the kernel line, append enforcing=0 at the end:

title Red Hat Enterprise Linux Server (2.6.18-194.26.1.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.26.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 enforcing=0
        initrd /initrd-2.6.18-194.26.1.el5.img

Finally, reboot the system:

reboot

Confine users