One way to enhance your Linux system’s security is by adding an extra security layer using SELinux. With Security-Enhanced Linux (SELinux), the applications on your Linux systems get isolated from each other, protecting your host system. By default, Ubuntu uses the AppArmor, a Mandatory Access Control system which enhances the security, but you can use the SELinux to achieve the same.
SELinux is beneficial, and in case of a security breach on your system, it prevents the spread of the breach to protect your system. Moreover, the tool protects the web servers depending on the mode you set for the SELinux. This guide offers a hands-on tutorial on how to disable the AppArmor, install the SELinux, enable the different modes, and disable SELinux.
Getting Started with SELinux
Note that before you proceed with SELinux, there is a risk in using it, especially since it can render your system unusable. So, only use it if you must and in such applicable case. Besides, it’s always safer to disable the AppArmor before installing the SELinux.
To disable the AppArmor, run the following command:
1 | $ sudo systemctl stop apparmor |
Once the AppArmor stops, restart your system.
How to Install SELinux on Ubuntu
Once you disable or remove the AppArmor, open your terminal and run the following command to install SELinux.
1 2 3 | $ sudo apt update $ sudo apt install policycoreutils selinux-utils selinux-basics |
Once the installation is successful, you need to activate the tool. You can do that using the following command:
1 | $ sudo selinux-activate |
Enabling SELinux Modes on Ubuntu
There are three different modes that you can use with SELinux. The first is disable, which does the same as its name. It disables using the SELinux service. When SELinux is activated, you can set it to permissive or Enforcing modes. In the permissive mode, only the monitoring of the interaction is done. However, if you want to filter and monitor the interaction, use the enforcing mode.
Let’s start by setting the enforcing mode. Use the following command:
1 | $ sudo selinux-config-enforcing |
Alternatively, you can use the setenforce command to set the enforcing mode. The command for this is as follows:
1 | $ setenforce 1 |
Once you set the mode, you need to reboot your system for it to take effect.
1 | $ reboot |
Note that the relabelling process starts during the restart. The system reboots normally once it is complete. During relabelling, you should note a warning message like in the following image:
After a successful reboot, you can run the following command to check the SELinux status. It should be set to enforcing.
1 | $ sestatus |
The enforcing mode is the default set by SELinux. In this state, most if not all the requests get blocked. The solution is to select the permissive mode, which logs all the violated rules. You can check the log file for details.
To set the permissive mode, use the following command:
1 | $ setenforce 0 |
Go ahead and check the mode using the setstatus command or use the getenforce command:
1 2 3 4 5 | $ setstatus or $ getenforce |
With getenforce, you will only see the name of the current mode, but the setstatus shows more details about the currently set mode.
Note that you must restart the system to switch between the two modes. Besides, you can view the set modes from the /etc/sysconfig/selinux file.
As we noted, the permissive mode is more flexible and won’t necessarily block all the requests. Instead, it keeps a log file when the rules get violated. To access the log file, you can use the following command:
1 | $ grep selinux /var/log/audit/audit.log |
To set the permissive mode, use the following command:
1 | $ sudo setenforce 0 |
How to Disable SELinux
We’ve seen how to enable and set the different SELinux modes. But how about disabling it? The best option is to disable it from the config files permanently. For this, open the file using an editor like nano. Then, change the mode from enforcing to disabled, as shown in the following command:
1 | $ sudo nano /etc/selinux/config |
Once opened, look for the SELINUX=enforcing line and change it to SELINUX=disabled.
Conclusion
The AppArmor is the extra security layer in Ubuntu and other Linux systems. However, if you prefer using the SELinux, we’ve covered how you can install, enable, and use its different modes. Before installing the SELinux, make sure you disable the AppArmor and restart the system. Also, proceed with caution when using the SELinux to avoid messing up with your system.