What is SELinux?
Security-Enhanced Linux (SELinux) was developed to provide access control for linux. It goes beyond file permissions and ACLs to create a more secure environment by limiting access. It is based on subjects, objects, and actions. A subject is the running command or application(example proftpd), the object is anything that can be accessed by that object, and the action is what can be done to that object by the subject.
Modes of Operation
There are 3 different modes that cause the protection to be different.
Enforcing – The configuration will actively be enforced
Permissive – The configuration will be monitored but not enforced
Disabled – The configuration with neither be monitored or enforced, essentially the service is completely disabled
To change modes without a reboot you would want to use setenforce, for example to make it permissive you would do
setenforce permissive
To change modes permanently you would want to update /etc/selinux/config and uncomment the appropriate one.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
A reboot will be needed to make the change take effect.
Configure Users
to check current users type the following:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
To add a new user, replacing newusername with the user
semanage login -a -s user_u newusername
Boolean Settings
Boolean settings are either turned on by setting them to a 1(on) or off (0), they give access to numerous utilities and functions within the system
To view all of the possible settings type
getsebool
To enable or disable one of them use
setsebool <setting_name> on
or
setsebool <setting_name> off
We will be adding another section on file management which is another control system of SELinux shortly.