Tech Junkie Blog - Real World Tutorials, Happy Coding!: Linux CentOS In-Depth: Securing Your System With SELinux, Enabling SELinux in Enforcing Mode (Part 1)

Monday, January 21, 2019

Linux CentOS In-Depth: Securing Your System With SELinux, Enabling SELinux in Enforcing Mode (Part 1)

Security Enhanced Linux (SELinux) is a set of kernel medications developed by the NSA and later distributed to the public to secure computer systems.  Most people would disable it on install because it's a pain to work with.  But, if configured correctly it could harden your system considerably.

First let's install all the packages that we need for SELinux with the following yum command

yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans















Select "y" when asked for a confirmation.

Now we want to see if SELinux is enabled by getting the status with this command

getenforce | sestatus














As we can see SELinux is enabled on our system.  Currently it is enabled at the highest level which is enforcing.

There are security mode in SELinux, they are the following:

  • Enforcing - In this mode all access from users or processes that are not authorized are denied, and the even will be logged.
  • Permissive - In this mode as the name implies is permission meaning non of the access is denied.  This will be the mode we start out with because we want to test and SELinux using this mode.
  • Disabled - Means SELinux is not enabled.
The first we want to do is set the security mode to "Permissive" so that we can setup and configure SELinux.

Open the file /etc/selinux/config with your favorite editor and change the line SELinux=enforcing to SELinux=permissive so that all files can be labeled



















To get into Permissive mode you have to reboot the system type in the command reboot now






Now let's check to see that the Permissive mode was successful with the command grep 'SELinux' /var/log/messages




The next step is to change /etc/selinux/config file back to SELINUX back to enforcing, then reboot the system again.


















6 comments:

Search This Blog