A Beginner’s Guide to SELinux on CentOS 10/11

Leave a Comment / ALL, Developing & Programming / By

A Beginner’s Guide to SELinux on CentOS 10/11

SELinux (Security-Enhanced Linux) is a Mandatory Access Control (MAC) system developed by the NSA. Unlike Discretionary Access Control (DAC), which is used by most Linux distributions, SELinux provides a more secure environment by restricting system access to only what is explicitly allowed.

This guide will help you understand the basics of SELinux, including installation, configuration, troubleshooting, and policy management.

Understanding SELinux

1. SELinux States

SELinux can operate in one of the following states:

  • Enabled: SELinux is active and enforcing security policies.
  • Disabled: SELinux is turned off.

To disable SELinux, edit the configuration file:

sudo nano /etc/selinux/config

Find the line that starts with SELINUX=, and change it to:

SELINUX=disabled

Save and exit, then reboot the system for the changes to take effect.

After rebooting, check the status:

sudo sestatus

If SELinux is disabled, the output should confirm it.

2. SELinux Modes

When SELinux is enabled, it can run in one of the following modes:

  • Enforcing: SELinux strictly applies security policies and blocks unauthorized access.
  • Permissive: SELinux logs policy violations but does not enforce them.
  • Disabled: SELinux is completely turned off.

To check which mode is currently active:

sudo getenforce

To temporarily switch to permissive mode:

sudo setenforce 0

To switch back to enforcing mode:

sudo setenforce 1

To make the change permanent, edit the SELinux configuration file:

sudo nano /etc/selinux/config

Change the SELINUX directive to:

SELINUX=permissive

Save and exit, then reboot the system.

Installing SELinux Packages

To manage SELinux policies and troubleshoot issues, install the necessary packages:

sudo yum install policycoreutils policycoreutils-python setools setools-console setroubleshoot

  • policycoreutils: Provides SELinux management tools.
  • setools: Includes tools like sediff, seinfo, and sesearch for policy analysis.
  • setroubleshoot: Helps diagnose SELinux issues.

Additionally, install:

sudo yum install setroubleshoot-server mctrans

  • setroubleshoot-server: Sends email notifications for SELinux policy violations.
  • mctrans: Converts SELinux labels into human-readable text.

Managing SELinux Policies

1. Viewing Loaded Policies

To see all loaded SELinux policies, run:

sudo semodule -l

2. Checking Audit Logs for Violations

When SELinux blocks an action, it logs the details in:

/var/log/audit/audit.log

To analyze SELinux denials, use:

sudo sealert -a /var/log/audit/audit.log

Example output:

SELinux is preventing /usr/sbin/httpd from write access on the directory logs.

To allow this action, run:

semanage fcontext -a -t httpd_sys_rw_content_t ‘logs’
restorecon -v ‘logs’

SELinux Contexts

1. Understanding SELinux Contexts

Every file, user, and process in SELinux has a security context, which consists of:

  • User: The SELinux user.
  • Role: The assigned role for access control.
  • Type: The type used in access policies.

To view SELinux contexts of files:

ls -Z ~/

Example output:

drwxrwxr-x. example_user example_user unconfined_u:object_r:user_home_t:s0 example_dir

Here, unconfined_u:object_r:user_home_t:s0 represents the SELinux security context.

SELinux Boolean Variables

1. Viewing SELinux Booleans

SELinux Boolean variables allow fine-grained control without changing policies. To view all variables:

sudo getsebool -a

To filter only Apache-related Booleans:

sudo getsebool -a | grep “httpd_can”

Example output:

httpd_can_network_connect → off
httpd_can_sendmail → off

2. Modifying SELinux Booleans

To enable HTTPD scripts to connect to the network:

sudo setsebool -P httpd_can_network_connect ON

Verify the change:

sudo getsebool -a | grep “httpd_can”

Example output:

httpd_can_network_connect → on

Conclusion

You now have a basic understanding of SELinux on CentOS 10/11. By learning how to install, configure, and manage SELinux policies, you can improve system security while troubleshooting common issues effectively.

Would you like help with writing custom SELinux policies, advanced troubleshooting, or securing specific applications? Let me know! 🚀

Related Posts