Skip to main content

SELinux (Security advanced Linux)

 


What is SELinux?


Security enhanced Linux is the linux kernel security module that provides a mechanism for supporting access control security policies. including mandatory access controls.


It is the project of united states national security Agency and SElinux Community.

>>>>>>>>>>≥>>>>>>>>>>>

SELinux Options:


Enforcing: Enabled (enabledby default in redhat centos, Fedora)

Permissive: disabled but logs the activity.

Disable: disabled and not the activity logs.



>>>>>>>>>>>>>>>>>>>≥>>>>>>>>>>>>>

how to check the SElinux status?

#sestatus or getenforce


• SElinux setting:

#setenforce 0 = permissive/disable

# setenforce 1 = enable


but these changes are temporary. Once the server reboots, these settings will flush.



>>>>>>>>>>>>≥>>>>>>>>>>>>>>>


• Modify SELinux config file for permanent setting:

 # /etc/selinux/config

and make the following changes:

SELINUX = enforcing. if you want to enable SELINUX. 

SELINUX = disabled. if you want to disable SELINUX.

>>>>>>>>>>>>>>>>>>>>>>>

• before modifying selinux config file:

#create the snapshot of the VM and create the copy of the config file.


• Two main concepts of SElinux:

#Labelling: labelling has 4 parts = user: role: type: level

#Type Enforcement

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To list the label of the file:

#ls  -lZ /usr/sbin/httpd


•to list the label of the directory:

#ls -lZ /etc/httpd



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


As the webserver runs its process is labelled in memory as httpd_t:

# ps axZ | grep httpd


• SELinux assigns the label at socket level:

#netstat  -tnlpZ | grep http


• To get the list of all booleans:

# getsebool -a

# semanage boolean  -l


• To enable or turn on a booleans

#setsebool -P boolean_name on


• check the error messages related to selinux:

#journalctl



•to change the type in a label:

#chcon  -t   httpd_sys_content_t   filename

Or

#semanage  -t  httpd_sys_content_t  filename



• to check if httpd can connect to ftp or not?

# getsebool -a | grep httpd_can_connect_ftp



•to set the value to ON for httpd_can_connect_ftp

#setsebool  -P  httpd_can_connect_ftp  on


Comments

Post a Comment

Popular posts from this blog

patching tasks

 Patching a Linux system is a critical task to ensure that the system remains secure, stable, and up-to-date with the latest features and fixes. Here’s a comprehensive guide to the tasks involved in Linux patching: 1. Pre-Patching Preparation Backup System : Ensure you have a full system backup, including critical data, configuration files, and applications. Test the backup to verify its integrity. Check Disk Space : Verify that you have enough disk space, particularly on /var , /tmp , and /boot partitions. Review Current Patch Level : Determine the current patch level and installed packages using package management tools like yum , apt , dpkg , or rpm . Check System Logs : Review system logs to identify any issues that might affect the patching process. Test in a Staging Environment : If possible, apply patches in a staging environment that mirrors production to identify potential issues. Notify Stakeholders : Inform stakeholders about the scheduled maintenance window and expecte...
Post a Comment
Read more

Associate cloud Engineer notes

 google cloud offers below services:  compute  storage big data  machine learning  application services at the end of this notes you will be able to :  identify the value of the google cloud products  use application deployment environment on google cloud use google storage options  interact with google cloud service describe the ways in which customers use google cloud .   >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>. TOPICS:  cloud computing  IAAS ,PAAS,SAAS pricing and billing google cloud hierarchy  IAM VPC  compute engine scaling virtual machines through load balancer cloud DNS and CDN  google cloud storage options  storage classes and data transfer  cloud SQL  cloud spanner  Firestore Bigtable  comparing storage optio...
Post a Comment
Read more