A Beginner’s Guide to SELinux on CentOS 10/11
SELinux (Security-Enhanced Linux) is a Mandatory Access Control (MAC) system developed by the NSA. Unlike Discretionary Access Control (DAC), which is used by most Linux distributions, SELinux provides a more secure environment by restricting system access to only what is explicitly allowed.
This guide will help you understand the basics of SELinux, including installation, configuration, troubleshooting, and policy management.
Understanding SELinux
1. SELinux States
SELinux can operate in one of the following states:
- Enabled: SELinux is active and enforcing security policies.
- Disabled: SELinux is turned off.
To disable SELinux, edit the configuration file:
sudo nano /etc/selinux/config
Find the line that starts with SELINUX=, and change it to:
SELINUX=disabled
Save and exit, then reboot the system for the changes to take effect.
After rebooting, check the status:
sudo sestatus
If SELinux is disabled, the output should confirm it.
2. SELinux Modes
When SELinux is enabled, it can run in one of the following modes:
- Enforcing: SELinux strictly applies security policies and blocks unauthorized access.
- Permissive: SELinux logs policy violations but does not enforce them.
- Disabled: SELinux is completely turned off.
To check which mode is currently active:
sudo getenforce
To temporarily switch to permissive mode:
sudo setenforce 0
To switch back to enforcing mode:
sudo setenforce 1
To make the change permanent, edit the SELinux configuration file:
sudo nano /etc/selinux/config
Change the SELINUX directive to:
SELINUX=permissive
Save and exit, then reboot the system.
Installing SELinux Packages
To manage SELinux policies and troubleshoot issues, install the necessary packages:
sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot
- policycoreutils: Provides SELinux management tools.
- setools: Includes tools like sediff, seinfo, and sesearch for policy analysis.
- setroubleshoot: Helps diagnose SELinux issues.
Additionally, install:
sudo yum install setroubleshoot-server mctrans
- setroubleshoot-server: Sends email notifications for SELinux policy violations.
- mctrans: Converts SELinux labels into human-readable text.
Managing SELinux Policies
1. Viewing Loaded Policies
To see all loaded SELinux policies, run:
sudo semodule -l
2. Checking Audit Logs for Violations
When SELinux blocks an action, it logs the details in:
/var/log/audit/audit.log
To analyze SELinux denials, use:
sudo sealert -a /var/log/audit/audit.log
Example output:
SELinux is preventing /usr/sbin/httpd from write access on the directory logs.
To allow this action, run:
semanage fcontext -a -t httpd_sys_rw_content_t ‘logs’
restorecon -v ‘logs’
SELinux Contexts
1. Understanding SELinux Contexts
Every file, user, and process in SELinux has a security context, which consists of:
- User: The SELinux user.
- Role: The assigned role for access control.
- Type: The type used in access policies.
To view SELinux contexts of files:
ls -Z ~/
Example output:
drwxrwxr-x. example_user example_user unconfined_u:object_r:user_home_t:s0 example_dir
Here, unconfined_u:object_r:user_home_t:s0 represents the SELinux security context.
SELinux Boolean Variables
1. Viewing SELinux Booleans
SELinux Boolean variables allow fine-grained control without changing policies. To view all variables:
sudo getsebool -a
To filter only Apache-related Booleans:
sudo getsebool -a | grep “httpd_can”
Example output:
httpd_can_network_connect → off
httpd_can_sendmail → off
2. Modifying SELinux Booleans
To enable HTTPD scripts to connect to the network:
sudo setsebool -P httpd_can_network_connect ON
Verify the change:
sudo getsebool -a | grep “httpd_can”
Example output:
httpd_can_network_connect → on
Conclusion
You now have a basic understanding of SELinux on CentOS 10/11. By learning how to install, configure, and manage SELinux policies, you can improve system security while troubleshooting common issues effectively.
Would you like help with writing custom SELinux policies, advanced troubleshooting, or securing specific applications? Let me know! 🚀
