SELinux

SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. However, by default it is turned off under RHEL / CentOS 5.x server? How do I turn it on?

SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.

How Do I Enable SELinux under Redhat / Fedora and CentOS Linux Systems?

Edit /etc/selinux/config file, run:
# vi /etc/selinux/config

Update the configuration file as follows:

SELINUX=enforcing
SELINUXTYPE=targeted
Understanding SELinux Configuration

SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux. It will also deny unauthorized access and log actions in a log file.
SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected.
Save and close the file. Make sure SELinux is not disabled using Grub boot loader. Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears:
# egrep -i ‘selinux=0|enforcing=0’ /boot/grub/grub.conf

If you found lines with selinux=0 or enforcing=0, remove them and save the changes.

Prepare File System For The Reboot

The chcon command can be used to change SELinux security context of a file. However, it is recommended that you relabel complete filesystem.

Restore Default Security Contexts

Type the following command to restore default security contexts for /home:
# restorecon -Rv -n /home

You can run this on root (/) file system too.

Relabel Complete Filesystem

Do not skip this step and reboot the system. Type the following commands:
# touch /.autorelabel
# reboot

It will take some time to relabel complete filesystem. If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode):
# init 1
# genhomedircon
# touch /.autorelabel
# reboot

Make Sure SELinux is Properly Enabled

Type the following command:
# sestatus

Sample outputs:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

How Do I Print Full List Of Allowed Network Ports?

Type the following commands
# semanage port -l
# semanage port -l | less
#### look for port 80 ####
# semanage port -l | grep -w 80

How Do I Allow Lighttpd / Apache / Nginx At Port 8181?

By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:
# semanage port -a -t http_port_t -p tcp 8181

How Do I Find Out Unprotected Services?

Type the following command:
# ps -eZ | egrep “initrc” | egrep -vw “ps|tr|egrep|awk|bash” | tr ‘:’ ‘ ‘ | awk ‘{ print $NF }’

You should not see any output on fully configured SELinux systems.

How Do I See SELinux Labels?

Type the following command:
# ls -lZ /path/to/file
# ls -lZd /path/to/dir
# ls -lZd /etc
# ls -lZ /dev/ | grep deviceName
# ls -lZ /etc/resolv.conf

Sample outputs:

-rw-r–r– root root system_u:object_r:net_conf_t /etc/resolv.conf
Troubleshooting SELinux Policy Errors

SELinux is pretty complicated kernel software. It takes time to fix error. Use the following tools to find and debug SELinux policy problems (refer to your local man pages):

ps -Z -p PID
ls -Z fileName
ausearch
restorecon
semodule
audit2allow

Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log
===========================================================

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

Advertisements

42 thoughts on “SELinux

  1. Have you noticed the news has changed its approach recently? What once seemed like a never discussed issue has become more prevelant. Frankly it is about time we see a change.

  2. greate post………….. very usefull

  3. Greetings thanks for excellent submit i used to be looking for this situation survive 2 nights. I’ll search for up coming precious posts. Have entertaining admin.

  4. hey admin thanks for fantastic and simple understandable publish i loved your blog site internet site definitely very much bookmarked also

  5. Wonderful publish admin! i bookmarked your internet weblog. i’ll glimpse ahead in case you will have an e-mail listing adding.

  6. Wow, amazing blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your web site is excellent, as well as the content!. Thanks For Your article about SELinux Linux System Administration .

  7. I simply want to say I am new to blogging and honestly savored you’re web-site. Very likely I’m planning to bookmark your site . You actually have fantastic articles and reviews. Thanks a bunch for sharing with us your web-site.

  8. I just want to mention I am just very new to blogging and seriously liked your website. Likely I’m going to bookmark your blog post . You certainly have awesome articles. Thanks for sharing your web page.

  9. very handful of sites that take place to become detailed beneath, from our point of view are undoubtedly nicely really worth checking out

  10. Wow, incredible blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is wonderful, as well as the content!. Thanks For Your article about SELinux | Linux System Administration .

  11. I simply want to tell you that I’m very new to weblog and seriously liked your web site. Almost certainly I’m likely to bookmark your blog . You amazingly come with wonderful writings. Thanks for sharing with us your webpage.

  12. When I first saw this title SELinux | Linux System Administration on google I just whent and bookmark it. Hi there. Very cool web site!! Guy .. Beautiful .. Wonderful .. I will bookmark your blog and take the feeds additionally…I’m glad to locate a lot of useful information right here within the article. Thank you for sharing..

  13. I was very pleased to find this web-site.I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you blog post.

  14. Whats up! I simply wish to give a huge thumbs up for the great information you’ve right here on this post. I will probably be coming back to your blog for extra soon..

  15. Woah! I’m really loving the template/theme of this website. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between usability and appearance. I must say you’ve done a very good job with this. Additionally, the blog loads very quick for me on Chrome. Excellent Blog!

  16. Wow, marvelous blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is magnificent, let alone the content!. Thanks For Your article about SELinux | Linux System Administration .

  17. I simply want to say I am all new to blogging and site-building and actually enjoyed your web-site. More than likely I’m going to bookmark your website . You certainly have wonderful well written articles. Bless you for revealing your web site.

  18. Fantastic internet website. A lot of useful info below. I am sending that to a couple of friends ans also sharing in delightful. And clearly, thanks in your perspiration!

  19. I simply want to mention I am just very new to blogs and truly liked you’re web blog. More than likely I’m want to bookmark your blog post . You really have awesome posts. Cheers for revealing your web-site.

  20. I just want to mention I’m all new to weblog and definitely liked your blog site. Most likely I’m likely to bookmark your blog post . You actually have terrific articles. With thanks for sharing with us your web site.

  21. Thanks for taking that the time to discuss this, I feel strongly about it as well because love understanding more
    about this topic. If feasible, while you acquire expertise, would you mind upgrading
    your blog with more info? Its extremely ideal for me.

  22. I simply want to tell you that I’m beginner to blogging and definitely enjoyed your web blog. Likely I’m likely to bookmark your blog post . You actually have impressive writings. Many thanks for sharing your website page.

  23. My brother suggested I might like this blog. He was
    entirely right. This post truly made my day. You can not imagine just how much time I had spent for this info!
    Thanks!

  24. I don’t even know how I ended up here, but I thought this post was good. I don’t know who
    you are but definitely you are going to a famous blogger
    if you are not already 😉 Cheers!

  25. Pingback: makia julpo

  26. Pingback: RamRhnXtDE

  27. Very handful of web-sites that happen to be detailed below, from our point of view are undoubtedly nicely really worth checking out.

  28. I like what you guys are up also. Such clever work and reporting! Keep up the superb works guys I’ve incorporated you guys to my blogroll. I think it’ll improve the value of my site :).

  29. Hello everybody, here every person is sharing these kinds of know-how,
    so it’s fastidious to read this weblog, and I used to visit this website daily.

  30. Tom, your comments are generally worth reading through. I like and agree with your analogy a great deal in excess of I do the authors. Thanks for keeping it very simple.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s