How to set up SELinux on CentOS

        

The SELinux will enhance the server security that brings heightened security for Linux systems. In the Linux kernel where the SELinux has built a security mechanism, Linux distributions such as CentOS, RHEL, and Fedora are equipped with SELinux by default.

If you configure the SELinux that helps in access troubleshoot related error message which is a great security risk reducer. SELinux will restrict a server processes requests and users interact with sockets, network ports, and other essential directories.

From this blog, you will get an apparent view regarding steps to setup SELinux on centOS as a part of our server management plan. You can also take assistance from our technical team support 24/7 for further Migration and configuration

Why it is essential to set up SELinux on CentOS 7

Before proceeding with the setup SElinux on centOS 7, let have a glance at the reason to set up the SELinux.

SELinux implements Mandatory Access Control (MAC). In every Discretionary Access Control (DAC) and the Linux distribution, this implementation is at top of every presence.

 In the earlier traditional security model it considers having three entities i.e (u,g,o)User, Group, and Other with the combination of Read, Write and Execute (r,w,x)permission on the file.

If the users have created a file in the home directory, where the user can access read/write of that particular group and other entries will be denied.

Use the following command to check the contents inside in home directory.

# ls -l /home/tom/
output 
total 4
-rwxrw-r--. 1 tom tom 41 Aug 6 22:45 myscript.sh

Here you can grant or deny the file permission to other users or group.

However, with SELinux, we can define what a user or process can do.

Where it keeps every process bound to its domain due to which the process interact with only certain types of files from the allowed domain.

We use a test server that runs both a web and an SFTP server. 

First install the centos 7 with the minimal package and also install the Apache and vsftp daemons.

However, we will not configure either of these applications.

Firstly, create a test user account in the cloud server and later you need to install the SELinux-related packages.

Installing Apache and SFTP Services

 First, you need to log into the server as the root user and run the command to install Apache:

# yum install httpd

Use the following commands to start the daemon manually.

# service httpd start

Later, Try to install vsftp:

# yum install vsftpd

Installing SELinux Packages

The SELinux has many packages some are installed by default. Dispalys the list of the Red Hat-based distributions.

1. policycoreutils

2. policycoreutils-python

3. selinux-policy

4. selinux-policy-targeted

5. libselinux-utils

6. setroubleshoot-server

7. setools

8. setools-console

9. mcstrans

Run the commands to check whether the SELinux packages are installed on CentOS7.

# rpm -qa | grep selinux

If you haven’t installed all the packages, Use run the following command with the package name. 

# yum install package_name 

SELinux Modes

The SELinux will be available with the following three possible modes

1. Enforcing

2. Permissive

3. Disabled

By this enforce mode where the user with unauthorized access will be denied. Access denials are written to relevant log files.

The Permissive mode is like a semi-enabled state where it won’t deny all the access any violence policy can be logged in to the audit logs.

So ensure to test the SELinux before enforcing it. 

king SELinux Modes and Status

To check the current SELinux mode you need to run thegetenforce command

# getenforce
or 

you can run the sestatus command:

# sestatus

SELinux Configuration File

The main configuration file for SELinux is /etc/selinux/config.

To view the content run the command.

# cat /etc/selinux/config

output 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
  1. Enabling and Disabling SELinux

 Enable the SELinuxis simple but the disabling can be done in a two-step process. Ensure SELinux is currently disabled.

Firstly, we need to edit the /etc/selinux/config file to change the SELINUX directive to permissive mode.

# vi /etc/sysconfig/selinux

...
SELINUX=permissive
...

Use the following commands to reboot the system

# reboot

Search for the string after logging into the server again as root.

“SELinux is preventing” from the contents of the /var/log/messages file.

Run the command:

# cat /var/log/messages | grep "SELinux is preventing"

If no error occurs that great then move to the next step.

However, we can at once search for text containing “SELinux” in /var/log/messages file.

Run the command:

# cat /var/log/messages | grep "SELinux"

If you receive any errors of the following kind, we can safely ignore them.

Mar 22 11:31:02 localhost kernel: SELinux: Initializing.

Mar 22 11:31:17 localhost kernel: SELinux: Disabled at runtime.

Mar 22 11:31:22 localhost journal: Unable to lookup SELinux process context: Invalid argument

Mar 22 11:33:20 localhost gnome-session: SELinux Troubleshooter: Applet requires SELinux be enabled to run.

Mar 22 11:37:16 localhost kernel: SELinux: Initializing.

Mar 22 11:37:18 localhost kernel: SELinux: Disabled at runtime.

Mar 22 11:37:24 localhost journal: Unable to lookup SELinux process context: Invalid argument

Aug 20 11:37:45 localhost gnome-session: SELinux Troubleshooter: Applet requires SELinux be enabled to run.

Mar 2211:39:43 localhost kernel: SELinux: Initializing.

Mar 22 11:39:45 localhost kernel: SELinux: Disabled at runtime.

Mar 22 11:39:51 localhost journal: Unable to lookup SELinux process context: Invalid argument

This happens when SELInux was in disabled or in permissive mode.

In the second phase, change the SELINUX directive from permissive to enforcing by editing the config file in the /etc/sysconfig/selinux file:

# vi /etc/sysconfig/selinux
...
SELINUX=enforcing
...

Run the command to reboot the server 

# reboot

Run the sestatus command once the server is online in order to check the SELinux status.

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Use the command to check the var/log/messages file

# cat /var/log/messages | grep "SELinux"

The following will be output with no error.

Mar 22 11:42:06 localhost kernel: SELinux: Initializing.
Mar 22 11:42:09 localhost systemd[1]: Successfully loaded SELinux policy in 183.302ms.

Mar 22 11:44:25 localhost kernel: SELinux: Initializing.
Mar 22 11:44:28 localhost systemd[1]: Successfully loaded SELinux policy in 169.039ms.
  1. Checking SELinux Modes and Status (Again)

To check the SELinux mode run the getenforce command. 

# getenforce

If the system is running in enforcing mode then you can see the following output.

Enforcing

The output will be different if SELinux is disabled:

Disabled

To get a better picture run the sestatus command

# sestatus

Output

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

When SELinux is disabled, the output will show:

SELinux status: disabled

Use the setenforce command to switch enforcing and the permissive modes temporarily.

Note: you won’t be able to run the setenforce when the SELinux is disabled.

Use the command to change the SELinux mode from enforcing to permissive in CentOS 7.  

# setenforce permissive

Running the sestatus command will show the difference between the current mode and the defined mode in the config file.

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Run the command to switching back to enforcing 

# setenforce enforcing

Conclusion

In short, Follow the steps to set up SELinux on CentOS 7. Where the SELinux will enhance the server security that brings heightened security for Linux systems.

More Posts

Send Us A Message

Prevent your Website/Server from Downtimes

Get our experts to manage your server with weekly auditing and 24/7 monitoring