Security-Enhanced Linux (SELinux) was developed to provide access control for linux. It goes beyond file permissions and ACLs to create a more secure environment by limiting access. It is based on subjects, objects, and actions. A subject is the running command or application(example proftpd), the object is anything that can be accessed by that object, and the action is what can be done to that object by the subject.<\/p>\n
There are 3 different modes that cause the protection to be different.<\/p>\n
Enforcing \u2013 The configuration will actively be enforced
\nPermissive \u2013 The configuration will be monitored but not enforced
\nDisabled \u2013 The configuration with neither be monitored or enforced, essentially the service is completely disabled<\/p>\n
To change modes without a reboot you would want to use setenforce, for example to make it permissive you would do<\/p>\n
setenforce permissive<\/p>\n
To change modes permanently you would want to update \/etc\/selinux\/config and uncomment the appropriate one.<\/p>\n
# SELINUX= can take one of these three values:
\n# enforcing – SELinux security policy is enforced.
\n# permissive – SELinux prints warnings instead of enforcing.
\n# disabled – No SELinux policy is loaded.
\nSELINUX=enforcing<\/p>\n
A reboot will be needed to make the change take effect.<\/p>\n
to check current users type the following:<\/p>\n
# semanage login -l<\/p>\n
Login Name SELinux User MLS\/MCS Range Service<\/p>\n
__default__ unconfined_u s0-s0:c0.c1023 *
\nroot unconfined_u s0-s0:c0.c1023 *
\nsystem_u system_u s0-s0:c0.c1023 *<\/p>\n
To add a new user, replacing newusername with the user<\/p>\n
semanage login -a -s user_u newusername<\/p>\n
Boolean settings are either turned on by setting them to a 1(on) or off (0), they give access to numerous utilities and functions within the system<\/p>\n
To view all of the possible settings type<\/p>\n
getsebool<\/p>\n
To enable or disable one of them use<\/p>\n
setsebool <setting_name> on<\/p>\n
or<\/p>\n
setsebool <setting_name> off<\/p>\n
We will be adding another section on file management which is another control system of SELinux shortly.<\/p>\n