Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

selinux Command in Linux

Previous
Quiz
Next

Security-Enhanced Linux (SELinux) is a security module integrated into the Linux kernel. It provides a mechanism for enforcing access control security policies to enhance system security. SELinux works by implementing mandatory access controls (MAC), which restrict how processes and users can access files, directories, and other resources.

Table of Contents

Here is a comprehensive guide to the options available with the selinux command −

Key Features of SELinux Command

Listed below are some of the key features of SELinux −

  • Enforcing Access Controls − SELinux controls access based on predefined policies.
  • Type Enforcement (TE) − Access control based on the type of the process or file.
  • Role-Based Access Control (RBAC) − Defines roles and the associated domains users can access.
  • Multi-Level Security (MLS) − Categorizes data into different sensitivity levels and controls access accordingly.

How to Use selinux Command in Linux?

Understanding and managing SELinux involves using several commands. Here are the essential SELinux commands −

sestatus − The sestatus command displays the current status of SELinux on the system.

sestatus
selinux Command in Linux1

In this example, the command displays information about whether SELinux is enabled, its current mode, and the loaded policy.

getenforce − The getenforce command displays the current mode of SELinux.

getenforce
selinux Command in Linux2

In this example, SELinux is in enforcing mode.

setenforce − The setenforce command is used to change the mode of SELinux between enforcing and permissive.

sudo setenforce 0
selinux Command in Linux3

In this example, SELinux is set to permissive mode.

sudo setenforce 1
selinux Command in Linux4

In this example, SELinux is set to enforcing mode.

chcon − The chcon command is used to change the SELinux security context of files, directories, and other objects.

chcon -t httpd_sys_content_t /var/www/html/index.html
selinux Command in Linux5

In this example, the security context of the index.html file is changed to httpd_sys_content_t.

restorecon − The restorecon command restores the default SELinux security context of files and directories.

restorecon -Rv /var/www/html
selinux Command in Linux6

In this example, the command restores the default security context for the /var/www/html directory and its contents.

semanage − The semanage command manages SELinux policies and configurations.

sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
selinux Command in Linux7

In this example, a file context rule is added to assign the httpd_sys_content_t type to files and directories under /var/www/html.

The Three Operating Modes of SELinux

SELinux operates in three modes, each providing different levels of enforcement and logging −

Enforcing Mode

In enforcing mode, SELinux enforces its policies and denies access to resources that do not comply with the policies. This is the default mode for a secure system.

sudo setenforce 1
selinux Command in Linux8

Permissive Mode

In permissive mode, SELinux does not enforce its policies but logs actions that would have been denied if in enforcing mode. This mode is useful for diagnosing and resolving policy issues without affecting system functionality.

sudo setenforce 0
selinux Command in Linux9

Disabled Mode

In disabled mode, SELinux is completely turned off, and no policies are enforced or logged. This mode is not recommended for production systems as it leaves the system without the additional security provided by SELinux.

To disable SELinux, edit the configuration file /etc/selinux/config and set SELINUX=disabled.

SELinux Contexts

SELinux contexts provide detailed information about the security attributes of files, processes, and other resources. A context consists of four components: user, role, type, and level.

system_u:object_r:httpd_sys_content_t:s0
  • system_u − SELinux user
  • object_r − SELinux role
  • httpd_sys_content_t − SELinux type
  • s0 − Sensitivity level

You can view the SELinux context of a file using the ls -Z command −

ls -Z /var/www/html/index.html
selinux Command in Linux10

Managing File Contexts Rules in SELinux Command

The semanage fcontext command is used to manage file context rules in SELinux. Here are some examples −

Adding a File Context Rule

sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
selinux Command in Linux11

In this example, a file context rule is added to assign the httpd_sys_content_t type to files and directories under /var/www/html.

Modifying a File Context Rule

sudo semanage fcontext -m -t httpd_sys_content_t "/var/www/html(/.*)?"
selinux Command in Linux12

In this example, an existing file context rule is modified to assign the httpd_sys_content_t type to files and directories under /var/www/html.

Deleting a File Context Rule

semanage fcontext -d "/var/www/html(/.*)?"
selinux Command in Linux13

In this example, a file context rule is deleted for files and directories under /var/www/html.

Managing Port Labels Rules in SELinux Command

The semanage port command is used to manage port labeling rules in SELinux.

Adding a Port Label Rule

sudo semanage port -a -t http_port_t -p tcp 8080
selinux Command in Linux14

In this example, a port label rule is added to assign the http_port_t type to port 8080 using the tcp protocol.

Deleting a Port Label Rule

semanage port -d -t http_port_t -p tcp 8080
selinux Command in Linux15

In this example, a port label rule is deleted for port 8080 using the tcp protocol.

Managing SELinux Booleans

SELinux booleans are conditional statements that can enable or disable specific SELinux policy rules. The semanage boolean command is used to manage SELinux booleans.

Enabling an SELinux Boolean

semanage boolean -m --on httpd_enable_homedirs

In this example, the httpd_enable_homedirs boolean is enabled, allowing the HTTP daemon to serve content from users' home directories.

Disabling an SELinux Boolean

sudo semanage boolean -m --off httpd_enable_homedirs
selinux Command in Linux16

In this example, the httpd_enable_homedirs boolean is disabled.

Managing SELinux Users and Roles

The semanage user command is used to manage SELinux user mappings, while the semanage login command manages login mappings.

Adding an SELinux User Mapping

sudo semanage user -a -L s0-s0:c0.c1023 -R "staff_r sysadm_r" newuser_u
selinux Command in Linux17

In this example, a new SELinux user mapping is added for the SELinux user newuser_u with a level range of s0-s0:c0.c1023 and roles staff_r and sysadm_r.

Adding a Login Mapping

semanage login -a -s user_u johndoe
selinux Command in Linux18

In this example, a new login mapping is added for the Linux user johndoe to map to the SELinux user user_u.

Troubleshooting SELinux Issues

When encountering SELinux-related issues, the following steps can help diagnose and resolve the problems −

Checking SELinux Status

Ensure that SELinux is enabled and in the correct mode using the sestatus command.

sestatus
selinux Command in Linux19

Viewing Audit Logs

SELinux logs policy violations and other relevant information in the audit logs. You can view the audit logs using the ausearch or audit2allow commands.

ausearch -m avc -ts recent
selinux Command in Linux20

This command searches for Access Vector Cache (AVC) messages in the audit.

Conclusion

SELinux was developed by the National Security Agency (NSA) as a set of kernel modifications and user-space tools. It aims to provide a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC).

Print Page
Previous
Next
Advertisements