SELinux (Security-Enhanced Linux) is an integral part of major Linux distributions like RHEL, CentOS, Ubuntu, and Fedora. It provides mandatory access control (MAC) security policies that regulate programs based on assigned contexts. As a Linux admin, knowing basic SELinux commands can help you effectively manage its configuration.

In this comprehensive guide, we will cover the most essential SELinux commands for day-to-day administration.

Checking the Status of SELinux

To check whether SELinux is running and enabled, use the sestatus command:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

The key things to note are:

  • SELinux status: enabled – SELinux is running
  • Current mode: enforcing – SELinux is in enforcing mode, which means it is actively restricting access and logging violations

Some other possible modes are permissive (logs violations but does not enforce restrictions) and disabled (SELinux turned off completely).

Temporarily Setting SELinux in Permissive Mode

To temporarily set SELinux in permissive mode, use the setenforce 0 command:

$ sudo setenforce 0
$ getenforce
Permissive

This will make SELinux log policy violations but not enforce restrictions. It can be useful for troubleshooting access issues without fully disabling SELinux.

To revert back to enforcing mode:

$ sudo setenforce 1

Disabling and Re-Enabling SELinux

To fully disable SELinux, edit the /etc/selinux/config file:

$ sudo vim /etc/selinux/config

Change the SELINUX= line to:

SELINUX=disabled

Then reboot your system:

$ sudo reboot

To re-enable SELinux, edit /etc/selinux/config again and set SELINUX=enforcing, then reboot.

Checking the Security Context

Files, ports, processes, and users in Linux have a security context in SELinux. To view the context of a file, use ls -Z:

$ ls -Z /etc/shadow
-rw-r-----. root root system_u:object_r:shadow_t:s0 /etc/shadow

Breaking this down:

  • system_u – SELinux user identity
  • object_r – SELinux role
  • shadow_t – SELinux file type

Similarly, you can use ps -eZ | grep sshd to view the context of the SSH daemon process.

Getting SELinux Policy Details

To get details about the current SELinux policy rules, use:

$ seinfo -t sshd_t

SELinux Policy Rules Show sshd_t

TYPE sshd_t  
       TYPE ATTRIBUTES
        role    system_r
        type    sshd_t  
       DOMAINS
        domain      system_u : system_r : system_t : s0
        ...

This displays the attributes and rules for the sshd_t type. You can query any SELinux type using seinfo.

Checking Access Issues in Audit Logs

SELinux logs access denials and other issues to /var/log/audit/audit.log.

To check the log for recent SELinux denials, use:

$ sudo grep " avc:  denied" /var/log/audit/audit.log

To analyze specific denials, use sealert which suggests fixes: 

$ sudo sealert -a /var/log/audit/audit.log

This will parse the log and provide guidance on allowing the blocked access.

Customizing SELinux Policies

SELinux policies are highly customizable to meet specific use cases. Here are some common customizations:

Add a File to a Particular SELinux Type

Use semanage fcontext to add rules matching files to types:

$ sudo semanage fcontext -a -t samba_share_t ‘/mnt/share/foo(/.*)?‘
$ sudo restorecon -Rv /mnt/share

This adds the /mnt/share/foo directory to the samba_share_t type.

Add a Port to an SELinux Type

To assign a network port to a type:

$ sudo semanage port -a -t http_port_t -p tcp 12345

This adds port 12345 TCP to http_port_t.

Manage SELinux User Mappings

To map a Linux user to an SELinux user:

$ sudo semanage login -a -s user_u john
$ id -Z john
user_u:user_r:user_t john

Modify SELinux Booleans

Booleans allow toggling certain runtime rules on/off.

To see booleans:

$ getsebool -a

To modify a boolean value:

$ sudo setsebool allow_webservd_anon_write 1

This sets the allow_webservd_anon_write boolean to on, allowing anonymous users to make writes to the httpd_t type.

Conclusion

Learning basic SELinux commands is essential for Linux administrators to monitor and control its policies. Key skills include checking status, customizing file/port types, analyzing logs, and tuning booleans.

With these commands, you can fine-tune SELinux mandatory access controls to suit your environment – improving security while avoiding undue restrictions. The customization abilities also allow addressing application-specific use cases that may not fit the default policies.

Overall, SELinux provides infrastructure for powerful security – but needs to be properly managed to realize its benefits.

Related posts:

  1. Clearing Command History in Linux: An Expert‘s In-Depth Practical Guide
  2. Mastering the Linux chage Command for Robust User Account Control
  3. How to Run Applications in Linux
  4. Mastering fstrim: A Full Guide to Maximizing SSD Performance in Linux
  5. Mastering IP Addressing on Linux
  6. Unleashing Linux‘s Parallel Processing Power: A Developer‘s Guide
  7. Mastering the Linux stty Command: A Complete 2600+ Word Guide
  8. Getting Started with Linux: The Complete Beginner‘s Guide v2

Similar Posts