Skip to main content

SELinux (Security advanced Linux)

 


What is SELinux?


Security enhanced Linux is the linux kernel security module that provides a mechanism for supporting access control security policies. including mandatory access controls.


It is the project of united states national security Agency and SElinux Community.

>>>>>>>>>>≥>>>>>>>>>>>

SELinux Options:


Enforcing: Enabled (enabledby default in redhat centos, Fedora)

Permissive: disabled but logs the activity.

Disable: disabled and not the activity logs.



>>>>>>>>>>>>>>>>>>>≥>>>>>>>>>>>>>

how to check the SElinux status?

#sestatus or getenforce


• SElinux setting:

#setenforce 0 = permissive/disable

# setenforce 1 = enable


but these changes are temporary. Once the server reboots, these settings will flush.



>>>>>>>>>>>>≥>>>>>>>>>>>>>>>


• Modify SELinux config file for permanent setting:

 # /etc/selinux/config

and make the following changes:

SELINUX = enforcing. if you want to enable SELINUX. 

SELINUX = disabled. if you want to disable SELINUX.

>>>>>>>>>>>>>>>>>>>>>>>

• before modifying selinux config file:

#create the snapshot of the VM and create the copy of the config file.


• Two main concepts of SElinux:

#Labelling: labelling has 4 parts = user: role: type: level

#Type Enforcement

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To list the label of the file:

#ls  -lZ /usr/sbin/httpd


•to list the label of the directory:

#ls -lZ /etc/httpd



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


As the webserver runs its process is labelled in memory as httpd_t:

# ps axZ | grep httpd


• SELinux assigns the label at socket level:

#netstat  -tnlpZ | grep http


• To get the list of all booleans:

# getsebool -a

# semanage boolean  -l


• To enable or turn on a booleans

#setsebool -P boolean_name on


• check the error messages related to selinux:

#journalctl



•to change the type in a label:

#chcon  -t   httpd_sys_content_t   filename

Or

#semanage  -t  httpd_sys_content_t  filename



• to check if httpd can connect to ftp or not?

# getsebool -a | grep httpd_can_connect_ftp



•to set the value to ON for httpd_can_connect_ftp

#setsebool  -P  httpd_can_connect_ftp  on


Comments

Post a Comment

Popular posts from this blog

patching tasks

 Patching a Linux system is a critical task to ensure that the system remains secure, stable, and up-to-date with the latest features and fixes. Here’s a comprehensive guide to the tasks involved in Linux patching: 1. Pre-Patching Preparation Backup System : Ensure you have a full system backup, including critical data, configuration files, and applications. Test the backup to verify its integrity. Check Disk Space : Verify that you have enough disk space, particularly on /var , /tmp , and /boot partitions. Review Current Patch Level : Determine the current patch level and installed packages using package management tools like yum , apt , dpkg , or rpm . Check System Logs : Review system logs to identify any issues that might affect the patching process. Test in a Staging Environment : If possible, apply patches in a staging environment that mirrors production to identify potential issues. Notify Stakeholders : Inform stakeholders about the scheduled maintenance window and expecte...
Post a Comment
Read more

Post build configurations on Redhat VM

  ************************************* Post build configuration on Linux VM: ************************************* Set the hostname. hostnamectl set-hostname <Servername> ***************************************** Network configuration : Make sure VM gets the ipv4 ip address either from DHCP or assign the static ip address to it.   Question : How to assign the static ip address to the linux machine using the nmcli ?  Answer: fire the below commands: nmcli device nmcli connection modify enpos3 ipv4.addresses 10.253.1.34/24 nmcli connection modify enpos3 ipv4.gateway 10.253.1.1 nmcli connection modify enpos3 ipv4.method manual nmcli connection modify enpos3 ipv4.dns 8.8.8.8 nmli connection down enpos3 nmcli connection up enpos3 ip address show enpos3 nmcli connection show ************************†****************** Register to RHΝ. Register to redhat network if the linux vm is redhat vm. subscription-manager register --org <org>  --activationkey <activat...
Post a Comment
Read more