Skip to main content

SELinux (Security advanced Linux)

 


What is SELinux?


Security enhanced Linux is the linux kernel security module that provides a mechanism for supporting access control security policies. including mandatory access controls.


It is the project of united states national security Agency and SElinux Community.

>>>>>>>>>>≥>>>>>>>>>>>

SELinux Options:


Enforcing: Enabled (enabledby default in redhat centos, Fedora)

Permissive: disabled but logs the activity.

Disable: disabled and not the activity logs.



>>>>>>>>>>>>>>>>>>>≥>>>>>>>>>>>>>

how to check the SElinux status?

#sestatus or getenforce


• SElinux setting:

#setenforce 0 = permissive/disable

# setenforce 1 = enable


but these changes are temporary. Once the server reboots, these settings will flush.



>>>>>>>>>>>>≥>>>>>>>>>>>>>>>


• Modify SELinux config file for permanent setting:

 # /etc/selinux/config

and make the following changes:

SELINUX = enforcing. if you want to enable SELINUX. 

SELINUX = disabled. if you want to disable SELINUX.

>>>>>>>>>>>>>>>>>>>>>>>

• before modifying selinux config file:

#create the snapshot of the VM and create the copy of the config file.


• Two main concepts of SElinux:

#Labelling: labelling has 4 parts = user: role: type: level

#Type Enforcement

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To list the label of the file:

#ls  -lZ /usr/sbin/httpd


•to list the label of the directory:

#ls -lZ /etc/httpd



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


As the webserver runs its process is labelled in memory as httpd_t:

# ps axZ | grep httpd


• SELinux assigns the label at socket level:

#netstat  -tnlpZ | grep http


• To get the list of all booleans:

# getsebool -a

# semanage boolean  -l


• To enable or turn on a booleans

#setsebool -P boolean_name on


• check the error messages related to selinux:

#journalctl



•to change the type in a label:

#chcon  -t   httpd_sys_content_t   filename

Or

#semanage  -t  httpd_sys_content_t  filename



• to check if httpd can connect to ftp or not?

# getsebool -a | grep httpd_can_connect_ftp



•to set the value to ON for httpd_can_connect_ftp

#setsebool  -P  httpd_can_connect_ftp  on


Comments

Post a Comment

Popular posts from this blog

Linux basic commands

 Linux basic commands: du  -sh  *  |  sort  -h  -r   |  head  -n  40  :    list out first 40 files in the directory that are taking more space in the directory.  cd : change directory Is-l listing the items in long listing format  pwd : print working directory Is-I format: type :no of links:owner : group:size :month :day :time :name cd/: go to/directory whoami: tells us by which username we are logged in. touch jerry: creates the file named jerry in present working directory. cp jerry lex: copy the content of jerry file and paste it to lex file. vi text1: creates the file text1 and open it in vi editor mkdir superman: creates the directory called superman mkdir abc def  : creates 2 folder in one command. touch filename wont work in /etc/ folder if logged in by normal account. man cp: shows manual for cp command. echo "india is my country"> file1 puts the text in file1. rm filename: remove the filename  mv lex luther renames the file from lex to luther  mv luther /h
Post a Comment
Read more

patching tasks

 Patching a Linux system is a critical task to ensure that the system remains secure, stable, and up-to-date with the latest features and fixes. Here’s a comprehensive guide to the tasks involved in Linux patching: 1. Pre-Patching Preparation Backup System : Ensure you have a full system backup, including critical data, configuration files, and applications. Test the backup to verify its integrity. Check Disk Space : Verify that you have enough disk space, particularly on /var , /tmp , and /boot partitions. Review Current Patch Level : Determine the current patch level and installed packages using package management tools like yum , apt , dpkg , or rpm . Check System Logs : Review system logs to identify any issues that might affect the patching process. Test in a Staging Environment : If possible, apply patches in a staging environment that mirrors production to identify potential issues. Notify Stakeholders : Inform stakeholders about the scheduled maintenance window and expected do
Post a Comment
Read more