SELinux Architecture

SELinux is a kernel module that can be enabled or disabled by the system admin. As the access to files and network ports is limited following a security policy, a faulty program or a misconfigured daemon can’t make a huge impact on system security. When an application or process requests file access in the SELinux system, it first checks the access vector cache (AVC). If permission is previously cached, then it returns with the file for the requested application. If the permission is not cached, then it sends the request to the security server. The security server checks all the security policies in its database. Depending on the security policy, permission is then granted or declined. There is no concept of root or superuser in SELinux. The security of an unmodified Linux distribution without SE Linux depends on kernel correctness, all of the privileged applications, and their configurations. fault or bug in any of these components can create an attacking surface and compromise the system. On the other hand, a modified Linux system with SELinux primarily depends on the correctness of the kernel and security policies.

How to Install or Enable SELinux

SELinux stands for Security Enhanced Linux. SELinux has been a part of the Linux kernel since 2003. Therefore, you don’t have to install it separately. In most desktop Linux distributions, however, it’s disabled by default. SELinux has three main modes: Enforced, Permissive, and Disabled. Let’s discuss them briefly: Note: Ubuntu is shipped with AppArmor, an alternative to SELinux. While SELinux is available on Ubuntu, it is not compatible with AppArmor and may break your system if enabled. If you really need to use SELinux in Ubuntu, make sure you disable AppArmor and do intensive testing (start with permissive mode first) before using it for production use. Note: if you try to enforce SELinux directly before making it permissive, it may mislabel files and processes and prevent you from booting. SELinux will be successfully enforced in your system.

How to Configure SELinux

SELinux is an architecture that allows system admins to control what can access the system resources. SELinux limits access to the system by using security policies. There are many ways to configure SELinux to protect your system, with the most popular being “targeted policy” and “multi-level security” (MLS). A targeted policy is the default security policy. It covers a range of security policies, like file access, tasks, services, etc. Multi-level security (MLS) is generally used by government and large organizations, is very complicated to set up and requires a dedicated team to manage it. You can check your current SELinux mode with the command getenforce and sestatus. If you only need to change SELinux mode in the current session, you can run the following two commands.

sudo setenforce 0: Setting SELinux to the permissive mode for the current session.sudo setenforce 1: Setting SELinux to enforcing mode for the current session.

SELinux Policies

SELinux works as a labeling system. It associates every file, port, and process with a label. Labels are a logical way of grouping things together. The kernel is responsible for managing the label during boot. SELinux policies can be managed by booleans. For example, let’s set boolean to a daemon called httpd. httpd is an Apache HTTP server daemon that we use to run web servers in Linux. To list all the modules specific to httpd, run the following command in your terminal: Here, the -a option lists all the booleans, and we use grep to filter out boolean related to only httpd. Read this article to know more about grep in Linux. The output from the above command looks like the below image. From the list above, we take the httpd_can_connect_ftp boolean and change its value. First, read the value of httpd_can_connect_ftp, whether it is on or off: Let’s set the value of httpd_can_connect_ftp to allow. Here, 1 represents allow or on. The -P tag is used to make the change permanent. If you list the booleans related to httpd again, then we can see the change in the httpd_can_connect_ftp value to on.

How to Handle SELinux Errors

SELinux has 4 types of errors in general:

How to Disable SELinux

Disabling SELinux is never a good option for enterprise and government servers and public-facing devices that are very much prone to attack. But if you want to disable SELinux in your system, follow these instructions. After the next reboot, SELinux in your system is disabled and becomes a normal Linux machine.