Basics of SElinux

What is SELinux?

SELinux is a set of security policies/modules which are going to apply on the machine to improve the overall security of the machine. These are the Linux security modules(LSM) which are loaded in to kernel to improve security on accessing services/files which improve security. SELinux is short form of Security Enhanced Linux. SElinux is a security feature which was shipped with RHEL5, it is much secure than any other security such as PAM and Initd. Apparmor is some times consider as eloquent to SELinux. Below is the security model in Linux.

Setting of SELinux

SELinux is set in three modes.

  • Enforcing - SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly
  • Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached
  • Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.

 

And SELinux is set in two levels

  • Targeted – Targeted processes are protected,
  • Mls - Multi Level Security protection.

Get SELinux Status

Example1:Is SELinux enabled or not on your box? use below command to get the status.

#getenforce

The output will be either “Enabled” or “Disabled”
Example2: To see SELinux status in simplified way you can use sestatus

#sestatus

Sample output:
SElinux status : enabled
SELinux mount : /selinux
Current mode : enforcing
Mode from config file : enforcing
Policy version : 21
Policy from config file : targeted

From the above output we can see that SElinux is enabled and it is in enforced mode.
and to see detailed status you can use -b option, this will give on which services SElinux is enabled and which services are disabled.

Example3:To get elobrated info on difference status of SELinux on different services use -b option along sestatus

#sestatus -b

Sample output:

[root@centos1 ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

Policy booleans:
abrt_anon_write off
allow_console_login on
allow_corosync_rw_tmpfs off
allow_cvs_read_shadow off
allow_daemons_dump_core on
allow_daemons_use_tty on
allow_domain_fd_use on
allow_execheap off
allow_execmem on
allow_execmod on
allow_execstack on
allow_ftpd_anon_write off

==Cliped the output here==

Disabling SELinux

Example4:How to disable SElinux

We can do it in two ways
1)Permanent way : edit /etc/selinux/config

change the status of SELINUX from enforcing to disabled

SELINUX=enforcing

to

SELINUX=disabled

Save the file and exit.

2)Temporary way : Execute below command

echo 0 > /selinux/enforce

or

setenforce 0

Enabling SELinux

Example5:How about enabling SELinux

1)Permanent way : edit /etc/selinux/config

change the status of SELINUX from disabled to enforcing

SELINUX=disabled

to

SELINUX=enforcing

Save the file and exit.

2)Temporary way : Execute below command

echo 1 > /selinux/enforce

or

setenforce 1

Comment your thoughts on SELinux.