What is SELinux?
SELinux, Security-Enhanced linux , is an additional method to protect your system.Presuming we want to allow remote anonymous access to a web server,we must open the ports through firewall. However,that means that malicious people can try to crack into the system through a security exploit and, if they compromise the web server process, gain its permissions: the permissions to the apache user and the apache group. That user/group has read access to things like the document root (/var/www/html),as well as write access to /tmp,/var/tmp and any other files/directories that are world writable.
SELinux is a a set of security rules that determine which process
can access which files, directories, ports, etc. Every file,
process, directory and ports has a special security label called
Selinux contexts.
A context is simply a name that is used by the
SELinux policy to determine whether or not a process can access a file, directory or post.
SELinux labels have several contexts, but we will discuss only one context with web server: The type context. Type context
names usually end with_t.The type context for the web server
is httpd_t. The type context for files and directories normally
found in /var/www/html is httpd_sys_content_t. The type
contexts for files and directories normally found in /tmp and
/var/tmp is tmp_t.The t type context for web server ports is
http_port_t.
There is a rule in the policy that permits Apache (the web
server process running as httpd_t) to access files and
directories with a context normally found in /var/www/html
and other web server directories (httpd_sys_content_t). There
is no allow rule in the policy for files normally found in /tmp
and /var/tmp, so access is not permitted. With SELinux enabled a
malicious user could not access the /tmp directory, let alone
write files to it. SELinux even has rules for remote filesystems
such as NFS and CIFS, although all files on these filesystems
are labeled with the same context.
SELinux MODES
- Enforcing Mode
- Premissive Mode
- Disabled
Enforcing Mode:In enforcing mode, SELinux actively access to
the web server attempting to read files with tmp_t type context. In enforcing
mode , SELinux both logs and protects.
Permissive Mode:Permissive mode is often used to
troubleshoot issues. In permissive mode, SELinux allows all interactions, even if
there is an explicit rule mentioned and it logs all of the denied interactions. This mode can
be used to determine if you are having an SELinux issue. NO reboot is required to
go from enforcing to permissive or back again.
Disabled:A third mode,disabled, completely disables SELinux. You must reboot to disable SELinux entirely, or to get from disabled mode to enforcing or permissive.
Enable And Disable SELinux Mode
There are two ways of Enable and Disable SElinux on linux:
1. Make the changes in /etc/sysconfig/selinux file.
# This file controls the state for selinux on the system.
# selinux= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
use /etc/sysconfig/selinux to change the default SELinux mode at boot time. In the
example above, it is set to enforcing mode.
2. Changed the Mode at command line.
To make the SELinux mode change without restart you can use the two commands:-
- getenforce
- setenforce
To check the current status of SELinux on the system use getenforce
[root@serverx ~]# getenforce
Enforcing
It show's the current SELinux Status is Enforcing.
To change the current Status of SELinux on the system use Setenforce
[root@serverx ~]# setenforce
usage: setenforce [enforcing | permissive | 1 | 0 ]
You can choose either enforcing or permissive mode but you can't disable it with setenforce.
[root@serverx ~]# setenforce 0
[root@serverx ~]# getenforce
Permissive
SElinux Status changed to Premissive
[root@serverx ~]# setenforce 1
[root@serverx ~]# getenforce
Enforcing
SElinux Status changed to Enforcing
[root@serverx ~]# setenforce permissive
[root@serverx ~]# getenforce
permissive
SElinux Status changed to Premissive
[root@serverx ~]# setenforce enforcing
[root@serverx ~]# getenforce
Enforcing
SElinux Status changed to Enforcing
Above Example shows you the different usage of setenforce command to change the modes of SELinux.