Note: This is an RHCSA 7 exam objective.
Presentation
SELinux stands for Security-Enhanced Linux. It is a way to improve the server security.
The /etc/selinux/config file stores the current configuration:
# more /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
SELinux can run in three different modes (enforcing, permissive and disabled) well described in the above file.
Besides the mode, there is a SELinux type (targeted, minimum and mls). Except if you work in a military agency, you will never need to change the targeted type.
Configuration
To get the current SELinux status:
# sestatus
To set enforcing mode, type:
# setenforce enforcing
To make this change permanent, edit the /etc/sysconfig/selinux file (or the /etc/selinux/config file) and replace the following value:
SELINUX=enforcing
Alternatively, to set permissive mode, type:
# setenforce permissive
To make this change permanent, edit the /etc/sysconfig/selinux file (or the /etc/selinux/config file) and replace the following value:
SELINUX=permissive
To make the reboot mandatory to change the configuration (-P can be added but with caution), type:
# setsebool secure_mode_policyload on
Additional Resources
Also, you can:
- watch Thomas Cameron’s 2015 Red Hat Summit presentation SELinux for mere mortals (52min/2015),
- follow Red Hat Jamie Duncan’s SELinux workshop,
- read Sven Vermeulen’s blog to better understand SELinux,
- buy Sven Vermeulen’s book to get a complete presentation about SELinux,
- follow the Gentoo SELinux tutorials written by Sven Vermeulen,
- consult the SELinux Userspace wiki,
- read the CIS RHEL 7 Server Hardening Guide,
- have a look at the SELinux Game website,
- read Thomas Cameron’s 2018 Red Hat Summit presentation about SEcurity ENhanced Linux for Mere Mortals,
- read How SELinux helps mitigate risk while facilitating compliance,
- read Lukas Vrabec’s blog about SELinux,
- read the SELinux free notebook (4th edition),
- read Linuxbuff’s article about SELinux.
I would like to ask the following because I have searched the web for a long time but I can’t find info.
How can I find which types of context can be accessed by the httpd_t domain for example?
Of course I am not meaning these that are at the /var/www
Thanks in Advance and I am sorry for the too many questions.
You should look at the sepolicy, seinfo and sesearch commands coming respectively with the policycoreutils-devel and setools-console packages.
If in the exam, I am asked to set SELinux to enforcing, can I do it at the end? How will it affect my other configurations?
I don’t think setting SELinux to enforcing at the end of the exam is a good idea.
The risk is to believe that the overall configuration of a given service is fine when the SELinux part isn’t working.
You will then have to check a second time each service, which will take some additional time.
To make the reboot mandatory to change the configuration (-P can be added but with caution), type:
# setsebool secure_mode_policyload on
-I think -P will be added unto this? 🙂
# setsebool -P secure_mode_policyload on
Normally you don’t add the -P option. To allow the loading of a SElinux policy again, you have to reboot.
If you add the -P option, reboot will not be enough to unlock the configuration.
Don’t try that on a production server. If you want to use this, try in your lab before.