Skip to main content

SELinux (Security advanced Linux)

 


What is SELinux?


Security enhanced Linux is the linux kernel security module that provides a mechanism for supporting access control security policies. including mandatory access controls.


It is the project of united states national security Agency and SElinux Community.

>>>>>>>>>>≥>>>>>>>>>>>

SELinux Options:


Enforcing: Enabled (enabledby default in redhat centos, Fedora)

Permissive: disabled but logs the activity.

Disable: disabled and not the activity logs.



>>>>>>>>>>>>>>>>>>>≥>>>>>>>>>>>>>

how to check the SElinux status?

#sestatus or getenforce


• SElinux setting:

#setenforce 0 = permissive/disable

# setenforce 1 = enable


but these changes are temporary. Once the server reboots, these settings will flush.



>>>>>>>>>>>>≥>>>>>>>>>>>>>>>


• Modify SELinux config file for permanent setting:

 # /etc/selinux/config

and make the following changes:

SELINUX = enforcing. if you want to enable SELINUX. 

SELINUX = disabled. if you want to disable SELINUX.

>>>>>>>>>>>>>>>>>>>>>>>

• before modifying selinux config file:

#create the snapshot of the VM and create the copy of the config file.


• Two main concepts of SElinux:

#Labelling: labelling has 4 parts = user: role: type: level

#Type Enforcement

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To list the label of the file:

#ls  -lZ /usr/sbin/httpd


•to list the label of the directory:

#ls -lZ /etc/httpd



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


As the webserver runs its process is labelled in memory as httpd_t:

# ps axZ | grep httpd


• SELinux assigns the label at socket level:

#netstat  -tnlpZ | grep http


• To get the list of all booleans:

# getsebool -a

# semanage boolean  -l


• To enable or turn on a booleans

#setsebool -P boolean_name on


• check the error messages related to selinux:

#journalctl



•to change the type in a label:

#chcon  -t   httpd_sys_content_t   filename

Or

#semanage  -t  httpd_sys_content_t  filename



• to check if httpd can connect to ftp or not?

# getsebool -a | grep httpd_can_connect_ftp



•to set the value to ON for httpd_can_connect_ftp

#setsebool  -P  httpd_can_connect_ftp  on


Comments

Popular posts from this blog

patching tasks

 Patching a Linux system is a critical task to ensure that the system remains secure, stable, and up-to-date with the latest features and fixes. Here’s a comprehensive guide to the tasks involved in Linux patching: 1. Pre-Patching Preparation Backup System : Ensure you have a full system backup, including critical data, configuration files, and applications. Test the backup to verify its integrity. Check Disk Space : Verify that you have enough disk space, particularly on /var , /tmp , and /boot partitions. Review Current Patch Level : Determine the current patch level and installed packages using package management tools like yum , apt , dpkg , or rpm . Check System Logs : Review system logs to identify any issues that might affect the patching process. Test in a Staging Environment : If possible, apply patches in a staging environment that mirrors production to identify potential issues. Notify Stakeholders : Inform stakeholders about the scheduled maintenance window and expecte...

Linux Prepatching tasks

 Pre-patching tasks in a Linux environment are critical to ensuring a smooth and successful patching process. These tasks help in minimizing downtime, preventing issues during the patching, and ensuring the system's stability. Here’s a checklist of common pre-patching tasks you should perform: 1. Backup Critical Data Full System Backup : Perform a full system backup, including configuration files, databases, and critical application data. Verify Backup Integrity : Ensure that the backup is complete and can be restored if necessary. 2. Review Patch Notes Understand the Patch : Review the release notes and documentation for the patches you plan to apply. Understand what is being updated and any potential impact on your system. Check Dependencies : Verify that all dependencies for the patches are met, including hardware, software, and configuration requirements. 3. Check System Health Disk Space : Ensure there is sufficient disk space available, especially on /var , /tmp , and /boot ...