SELinux

SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. However, by default it is turned off under RHEL / CentOS 5.x server? How do I turn it on?

SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.

How Do I Enable SELinux under Redhat / Fedora and CentOS Linux Systems?

Edit /etc/selinux/config file, run:
# vi /etc/selinux/config

Update the configuration file as follows:

SELINUX=enforcing
SELINUXTYPE=targeted
Understanding SELinux Configuration

SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux. It will also deny unauthorized access and log actions in a log file.
SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected.
Save and close the file. Make sure SELinux is not disabled using Grub boot loader. Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears:
# egrep -i ‘selinux=0|enforcing=0’ /boot/grub/grub.conf

If you found lines with selinux=0 or enforcing=0, remove them and save the changes.

Prepare File System For The Reboot

The chcon command can be used to change SELinux security context of a file. However, it is recommended that you relabel complete filesystem.

Restore Default Security Contexts

Type the following command to restore default security contexts for /home:
# restorecon -Rv -n /home

You can run this on root (/) file system too.

Relabel Complete Filesystem

Do not skip this step and reboot the system. Type the following commands:
# touch /.autorelabel
# reboot

It will take some time to relabel complete filesystem. If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode):
# init 1
# genhomedircon
# touch /.autorelabel
# reboot

Make Sure SELinux is Properly Enabled

Type the following command:
# sestatus

Sample outputs:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

How Do I Print Full List Of Allowed Network Ports?

Type the following commands
# semanage port -l
# semanage port -l | less
#### look for port 80 ####
# semanage port -l | grep -w 80

How Do I Allow Lighttpd / Apache / Nginx At Port 8181?

By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:
# semanage port -a -t http_port_t -p tcp 8181

How Do I Find Out Unprotected Services?

Type the following command:
# ps -eZ | egrep “initrc” | egrep -vw “ps|tr|egrep|awk|bash” | tr ‘:’ ‘ ‘ | awk ‘{ print $NF }’

You should not see any output on fully configured SELinux systems.

How Do I See SELinux Labels?

Type the following command:
# ls -lZ /path/to/file
# ls -lZd /path/to/dir
# ls -lZd /etc
# ls -lZ /dev/ | grep deviceName
# ls -lZ /etc/resolv.conf

Sample outputs:

-rw-r–r– root root system_u:object_r:net_conf_t /etc/resolv.conf
Troubleshooting SELinux Policy Errors

SELinux is pretty complicated kernel software. It takes time to fix error. Use the following tools to find and debug SELinux policy problems (refer to your local man pages):

ps -Z -p PID
ls -Z fileName
ausearch
restorecon
semodule
audit2allow

Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log
===========================================================

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

Comments
  1. Jerold Lone says:

    Have you noticed the news has changed its approach recently? What once seemed like a never discussed issue has become more prevelant. Frankly it is about time we see a change.

  2. Renju Sebastian (linuxtexh.co.nr) says:

    greate post………….. very usefull

  3. Danny says:

    Greetings thanks for excellent submit i used to be looking for this situation survive 2 nights. I’ll search for up coming precious posts. Have entertaining admin.

  4. Great 1 web site owner success web site publish wonderful sharings with this webpage generally have pleasurable

  5. chat sohbet says:

    I used to be browsing for this wonderful sharing admin a lot thanks and have great blogging bye

  6. hey admin thanks for fantastic and simple understandable publish i loved your blog site internet site definitely very much bookmarked also

  7. I used to be looking for this blog previous a few nights excellent webpage operator great posts almost everything is fantastic

  8. I was curious about your following submit admin truly required this blog super astounding webpage

  9. I used to be curious about your subsequent put up admin actually necessary this website super wonderful web site

  10. I was curious about your up coming put up admin actually necessary this web site super amazing blog site

  11. trt fm says:

    Wonderful publish admin! i bookmarked your internet weblog. i’ll glimpse ahead in case you will have an e-mail listing adding.

  12. Wow, amazing blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your web site is excellent, as well as the content!. Thanks For Your article about SELinux Linux System Administration .

  13. I simply want to say I am new to blogging and honestly savored you’re web-site. Very likely I’m planning to bookmark your site . You actually have fantastic articles and reviews. Thanks a bunch for sharing with us your web-site.

  14. mind matter says:

    Woh I love your content , saved to favorites ! .

  15. I just want to mention I am just very new to blogging and seriously liked your website. Likely I’m going to bookmark your blog post . You certainly have awesome articles. Thanks for sharing your web page.

  16. Google says:

    very handful of sites that take place to become detailed beneath, from our point of view are undoubtedly nicely really worth checking out

  17. Wow, incredible blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is wonderful, as well as the content!. Thanks For Your article about SELinux | Linux System Administration .

  18. Clay Merson says:

    I simply want to tell you that I’m very new to weblog and seriously liked your web site. Almost certainly I’m likely to bookmark your blog . You amazingly come with wonderful writings. Thanks for sharing with us your webpage.

  19. When I first saw this title SELinux | Linux System Administration on google I just whent and bookmark it. Hi there. Very cool web site!! Guy .. Beautiful .. Wonderful .. I will bookmark your blog and take the feeds additionally…I’m glad to locate a lot of useful information right here within the article. Thank you for sharing..

  20. katom coupon says:

    I was very pleased to find this web-site.I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you blog post.

  21. Whats up! I simply wish to give a huge thumbs up for the great information you’ve right here on this post. I will probably be coming back to your blog for extra soon..

  22. Marta Leick says:

    Woah! I’m really loving the template/theme of this website. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between usability and appearance. I must say you’ve done a very good job with this. Additionally, the blog loads very quick for me on Chrome. Excellent Blog!

  23. Janett Huewe says:

    Wow, marvelous blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is magnificent, let alone the content!. Thanks For Your article about SELinux | Linux System Administration .

  24. Wonderful to check out this kind of appear upon Sphinn.

  25. I simply want to say I am all new to blogging and site-building and actually enjoyed your web-site. More than likely I’m going to bookmark your website . You certainly have wonderful well written articles. Bless you for revealing your web site.

  26. Fantastic internet website. A lot of useful info below. I am sending that to a couple of friends ans also sharing in delightful. And clearly, thanks in your perspiration!

  27. I simply want to mention I am just very new to blogs and truly liked you’re web blog. More than likely I’m want to bookmark your blog post . You really have awesome posts. Cheers for revealing your web-site.

  28. I just want to mention I’m all new to weblog and definitely liked your blog site. Most likely I’m likely to bookmark your blog post . You actually have terrific articles. With thanks for sharing with us your web site.

  29. Thanks for taking that the time to discuss this, I feel strongly about it as well because love understanding more
    about this topic. If feasible, while you acquire expertise, would you mind upgrading
    your blog with more info? Its extremely ideal for me.

  30. Amie Mechem says:

    I simply want to tell you that I’m beginner to blogging and definitely enjoyed your web blog. Likely I’m likely to bookmark your blog post . You actually have impressive writings. Many thanks for sharing your website page.

  31. My brother suggested I might like this blog. He was
    entirely right. This post truly made my day. You can not imagine just how much time I had spent for this info!
    Thanks!

  32. teensnpa.com says:

    I don’t even know how I ended up here, but I thought this post was good. I don’t know who
    you are but definitely you are going to a famous blogger
    if you are not already 😉 Cheers!

  33. Google says:

    we came across a cool web page which you might delight in. Take a appear if you want

  34. makia julpo says:

    SELinux | Linux System Administration

    The Birch of the Shadow

  35. RamRhnXtDE says:

    Woman of Alien

    Excellent do the job you’ve got finished, this web site is admittedly cool with great information. Time is God’s method of trying to keep all the things from going on simultaneously.

  36. Google says:

    Very handful of web-sites that happen to be detailed below, from our point of view are undoubtedly nicely really worth checking out.

  37. thousand says:

    Hey very interesting blog!

  38. I like what you guys are up also. Such clever work and reporting! Keep up the superb works guys I’ve incorporated you guys to my blogroll. I think it’ll improve the value of my site :).

  39. Hello everybody, here every person is sharing these kinds of know-how,
    so it’s fastidious to read this weblog, and I used to visit this website daily.

  40. zabor ilenta says:

    You have brought up a very great details, thanks for the post.

  41. Alene Morado says:

    Tom, your comments are generally worth reading through. I like and agree with your analogy a great deal in excess of I do the authors. Thanks for keeping it very simple.

  42. Keep on working, great job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s