Understanding SELinux or Security Enhanced Linux

SELinux refers to the security policy or security module that is integrated in Linux Kernel 2.6.*. SELinux offers US Department of Defence style mandatory access control and is much secure than PAM. It was introduced by Red Hat with version 4 and is generally available with Red Hat based distributions. Further it became available with certain Debian and Ubuntu distros too.

Security Enhanced Linux defines the access rights of every user, application, process and file present in the system. It then monitor the activity that requires access to certain files/directory, it may be a user or an applications request to access those. The request is sent to the security server in the kernel, where it checks for the security context of the request source and the requested data. If the context are compatible, the permission is granted. If it is denied, then a message is issued in /var/log/message with avc: denied. In modern systems, however, a graphical notification pops up displaying the detailed report of all the players in the process along with the commands to deal with the permissions.

SELinux works in three operating modes:

1. Enforcing: Security Enhanced Linux policies are enforced, i.e. strict denial as soon as the contexts mismatch without the consent of the user.

2. Permissive: Security Enhanced Linux issues warning messages but the policy is not enforced. Here, the user makes the decision to grant/deny the permission.

3. Disabled: This disable the Security Enhanced Linux policy entirely.

Checking SELinux Status

To check the current SELinux status, open the terminal and type the follwing:

[user@PC:~]$ getenforce

For more detailed status:

[user@PC:~]$ sestatus

Following image shows the output from both the commands:

SELinux Getenforce
SELinux Getenforce Sestatus

Enabling SELinux

There are two ways in which setting are enabled in Linux system :Temporary and Persistent .

Temporary way:

Open the terminal and type the following:

[user@PC:~]$ setenforce 1

Persistent way:

We need to make entry in the SELinux file present in the system, which is the primary configuration file for SELinux. We can make entry in either “/etc/sysconfig/selinux” or “/etc/selinux/config” file, by editing SELINUX = ENFORCING. Open the terminal and type the following:

[user@PC:~]$ sudo vim /etc/sysconfig/selinux

This will open the selinux config file:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded.

SELINUX=ENFORCING

# SELINUXTYPE= can take one of these three values:

# targeted – Targeted processes are protected,

# minimum – Modification of targeted policy. Only selected processes are protected.

# mls – Multi Level Security protection.

SELINUXTYPE=targeted

Following image shows the config file, here, changes are made in line no. 7.

Selinux Enforce
Selinux Enforce

Disabling SELinux

Temporary way:

Open the terminal and type the following:

[user@PC:~]$ setenforce 0

Persistent way:

Editing the “/etc/sysconfig/selinux” or “/etc/selinux/config” file, by changing SELINUX = DISABLED. Open the terminal and type the following:

[user@PC:~]$ sudo vim /etc/sysconfig/selinux

This will open the selinux config file:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded.

SELINUX= DISABLED

# SELINUXTYPE= can take one of these three values:

# targeted – Targeted processes are protected,

# minimum – Modification of targeted policy. Only selected processes are protected.

# mls – Multi Level Security protection.

SELINUXTYPE=targeted

Following image shows the config file, here, changes are made in line no. 7.

Selinux disabled
Selinux disabled

The similar approach can be applied for activating permissive mode too.

Security Enhanced Linux provide variety of features, that include individual policy assigning and advanced secure environment. Keep in check with us to follow comparison among SELinux, PAM and APPArmor.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.