selinux Archives - Lintel Technologies Blog

SELinux offers more enhanced security for linux. It is always recommended not to disable SELinux for servers which are more delicate, instead you can control the permissions for the deamons, programms or users using SELinux.

SELinux maintains the status of permissions for all deamons with attributes called booleans.

Get SELinux booleans

$ getsebool -a

1	$ getsebool -a

The above command will give you lot of variables with status either on or off. If you want to fetch for particular process or context use grep

To get all booleans regarding httpd(apache web server)

$ getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

$ getsebool -a | grep httpd

allow_httpd_anon_write --> off

allow_httpd_mod_auth_ntlm_winbind --> off

allow_httpd_mod_auth_pam --> off

allow_httpd_sys_script_anon_write --> off

httpd_builtin_scripting --> on

httpd_can_check_spam --> off

httpd_can_network_connect --> off

httpd_can_network_connect_cobbler --> off

httpd_can_network_connect_db --> off

httpd_can_network_memcache --> off

httpd_can_network_relay --> off

httpd_can_sendmail --> off

httpd_dbus_avahi --> on

httpd_enable_cgi --> on

httpd_enable_ftp_server --> off

httpd_enable_homedirs --> off

httpd_execmem --> off

httpd_manage_ipa --> off

httpd_read_user_content --> off

httpd_run_stickshift --> off

httpd_serve_cobbler_files --> off

httpd_setrlimit --> off

httpd_ssi_exec --> off

httpd_tmp_exec --> off

httpd_tty_comm --> on

httpd_unified --> on

httpd_use_cifs --> off

httpd_use_fusefs --> off

httpd_use_gpg --> off

httpd_use_nfs --> off

httpd_use_openstack --> off

httpd_verify_dns --> off

Set SELinux Booleans

To set selinux booleans we use the command setsebool

$ setsebool

Usage:  setsebool [ -PV ] boolean value | bool1=val1 bool2=val2...

$ setsebool

Usage: setsebool [ -PV ] boolean value | bool1=val1 bool2=val2...

Here is how you can change

$ setsebool -P <boolean> <on|off>

1	$ setsebool -P <boolean> <on\|off>

For suppose if you want to allow httpd to allow sending mail

setsebool -VP httpd_can_sendmail on

1	setsebool -VP httpd_can_sendmail on

If you want to enable ftp server on httpd,

setsebool -P httpd_enable_ftp_server on

1	setsebool -P httpd_enable_ftp_server on

To enable apache to connect with external database

setsebool -P httpd_can_network_connect_db on

1	setsebool -P httpd_can_network_connect_db on

Like wise you can change the required booleans status. To query the modified status ues getsebool with grep.

The SELinux stands for Security-Enhanced Linux where it is a linux kernel security module. It is enabled by default on most of the linux distribution that we use for servers like centOS. It provides enhanced security measurements. It gives you fine control over all programs and daemons on their activities like communicating with out side programs or controlling whether to establish a outside connections for a particular program.

It is always recommended to have SELinux enabled on a server to avoid common security glitches.

To query the current status of SELinux use the following commands

getenforce

1	getenforce

The above command will report the current status of SELinux. Whether SELinux is enforcing, permissive, or disabled. If it is already disabled.

Disabling SELinux

Open the file /etc/selinux/config and change the option SELINUX to disabled

if you open file you would see something like

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

# targeted - Targeted processes are protected,

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

If SELinux is enabled you would see enforcing replace it with disabled.

You should restart the machine to take effect If you change SELINUX status from Enabled to Disabled or vice versa.

Enabling SELInux

To enable SELinux follow the below instructions,

Open the file /etc/selinux/config
Change option SELINUX from disabled to enforcing
Restart the machine

Change mode

To change the mode of SELinux which is running

$ setenforce
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]
$ #To Set mode to Permissive
$ setenforce Permissive

$ setenforce

usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

$ #To Set mode to Permissive

$ setenforce Permissive

Check Status

SELinux is the linux kernel module for enhanced security. SELinux stands for Security-Enhanced Linux. If SELinux is installed on your machine or server you can check the current status by using following commands

[root@lintel ~]# getenforce

1	[root@lintel ~]# getenforce

The above command will give you one of the following as an output

enforcing, permissive, or disabled

1	enforcing, permissive, or disabled

You use the below command which will give simple overview

[root@lintel ~]# sestatus

1	[root@lintel ~]# sestatus

If enabled you will output something like

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

# sestatus

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: permissive

Mode from config file: permissive

Policy version: 24

Policy from config file: targeted

You can also check the configuration which is located at /etc/selinux/config.

In above config file the option SELINUX describes the status of SELinux. But it’s not precise to determine the status from the configuration file, it’s better to determine the status by using commands mentioned above.

*Note: You need administrator privileges to either enable or disable SELinux

Tag: selinux

How to modify permissions(booleans) of SELinux for deamons(programs)