Advanced SELinux Configuration
1. Introduction
SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. This lesson covers advanced configuration techniques to enhance security on Linux systems.
2. Key Concepts
SELinux Modes
- Enforcing: SELinux policy is enforced.
- Permissive: SELinux policy is not enforced, but violations are logged.
- Disabled: SELinux is turned off.
Types and Contexts
Every process and file has a security context defined by three components: user, role, and type. Understanding these is crucial for effective SELinux management.
3. Configuration
3.1 Setting SELinux Modes
To change the SELinux mode, use the following commands:
sudo setenforce 1 # Set to Enforcing
sudo setenforce 0 # Set to Permissive
To make this change permanent, edit the configuration file:
sudo nano /etc/selinux/config
# Change the line to:
SELINUX=enforcing
3.2 Creating Custom Policies
To create a custom SELinux policy, use the audit2allow tool:
sudo ausearch -m avc -ts recent | audit2allow -M mypol
sudo semodule -i mypol.pp
3.3 Allowing Access to Resources
To allow a specific process to access a resource, you can use the semanage command:
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
sudo restorecon -R /var/www/html
4. Troubleshooting
Common troubleshooting commands include:
sudo sestatus- Check the current status of SELinux.sudo sealert -a /var/log/audit/audit.log- Analyze SELinux alerts.
5. Best Practices
- Always run SELinux in Enforcing mode in production.
- Regularly review SELinux logs for denied accesses.
- Use modular policies to manage permissions effectively.
6. FAQ
What is the difference between SELinux and AppArmor?
SELinux is a more complex and flexible system, while AppArmor is easier to configure and manage, but less granular.
How can I check which SELinux context a file has?
Use the command: ls -Z /path/to/file to view the SELinux context of a file.