| Tutorial details | |
|---|---|
| Difficulty | Intermediate (rss) |
| Root privileges | Yes |
| Requirements | reboot |
SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model. SELinux can be any one of the following state:
- enforcing - SELinux security policy is enforced.
- permissive - SELinux prints warnings instead of enforcing.
- disabled - SELinux is fully disabled.
Step #1: Install additional SELinux packages
Type the following the yum command:
# yum install policycoreutils setroubleshoot
Step #2: Run SELinux in permissive mode
Edit /etc/selinux/config file, run:
# vi /etc/selinux/config
Update the configuration file as follows:
SELINUX=permissive SELINUXTYPE=targeted
Save and close the file. Reboot the server:
# reboot
Step #3: Make sure SELinux did not deny actions
Type the following command to confirm that SELinux did not deny actions during the reboot:
grep "SELinux is preventing" /var/log/messages
This command does not return any error or output go to step #3. If you get any output/error, try chcon command. It can be used to change SELinux security context of a file. However, it is recommended that you relabel complete filesystem. Type the following command to restore default security contexts for /home:
# restorecon -Rv -n /home
You can run this on root (/) file system too:
# restorecon -Rv -n /
Do not skip this step. Type the following commands:
# touch /.autorelabel
# reboot
It will take some time to relabel complete filesystem. If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode):
# init 1
# genhomedircon
# touch /.autorelabel
# reboot
Now, go to step #4.
Step #4: Set SELINUX to enforcing mode
Edit /etc/selinux/config, enter:
# vi /etc/selinux/config
Update the configuration file as follows:
SELINUX=enforcing SELINUXTYPE=targeted
Understanding SELinux Configuration
- SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux. It will also deny unauthorized access and log actions in a log file.
- SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected.
Save and close the file. Make sure SELinux is not disabled using Grub boot loader. Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears:
# egrep -i 'selinux=0|enforcing=0' /boot/grub/grub.conf
If you found lines with selinux=0 or enforcing=0, remove them and save the changes. Reboot the server:
# reboot
Step #5: Make Sure SELinux is Properly Enabled
Type the following command:
# sestatus
Sample outputs:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Check Out Related Media
This tutorial is available in a quick video format that demos all of the above steps:
Video - 01: Enabling SELinux under CentOS/RHEL/SL v6.x
How Do I Print Full List Of Allowed Network Ports?
Type the following commands
# semanage port -l
# semanage port -l | less
#### look for port 80 ####
# semanage port -l | grep -w 80
How Do I Allow Lighttpd / Apache / Nginx At Port 8181?
By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:
# semanage port -a -t http_port_t -p tcp 8181
How Do I Find Out Unprotected Services?
Type the following command:
# ps -eZ | egrep "initrc" | egrep -vw "ps|tr|egrep|awk|bash" | tr ':' ' ' | awk '{ print $NF }'
You should not see any output on fully configured SELinux systems.
How Do I See SELinux Labels?
Type the following command:
# ls -lZ /path/to/file
# ls -lZd /path/to/dir
# ls -lZd /etc
# ls -lZ /dev/ | grep deviceName
# ls -lZ /etc/resolv.conf
Sample outputs:
-rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf
Troubleshooting SELinux Policy Errors
SELinux is pretty complicated kernel software. It takes time to fix error. Use the following tools to find and debug SELinux policy problems (refer to your local man pages):
- ps -Z -p PID
- ls -Z fileName
- ausearch
- restorecon
- semodule
- audit2allow
- Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log
Recommended readings:
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
After installing several hundred RHEL 5.x systems over the last 18 months I can assure you that by default SELinux is indeed turned on and enforcing in RHEL 5.x .
good stuff. I open port on the firewall and add the same port at httpd port in selinx , and also update apache to listen on it. But I can’t access my webpage with doaminname only, I have to type http://www.mydomainname.com:theport#
Web browser is set to default to port 80, if you don’t tell him otherwise.
It is not server problem.
how much time it will take to reboot in step#2….