SELinux for Beginners using CentOS

Developed by the NSA to prevent malevolent access and intrusions, Security-Enhanced Linux or SELinux is an advanced access control feature that ships with most modern Linux distros. SELinux is defined as the Mandatory Access Control (MAC) system developed as a replacement for the Discretionary Access Control system (DAC).

SELinux can seem daunting and very hard to implement in most modern systems. However, configuring SELinux has huge benefits both in enforcing security and troubleshooting.

This tutorial will discuss various concepts implemented by SELinux and explore various practical methods of implementing SELinux.

NOTE: Before we begin, it is good to use the commands in this tutorial as the root user or a user within the sudoers group.

Install SELinux Packages

Let us install various SELinux packages, which in turn will help to work with SELinux policies.

Before we proceed to install the SELinux packages, it is good we verify which are installed on the current system.

In most installations of REHL distributions, some packages are installed by default. These packages include:

setools – this package is used for monitoring logs, querying policies, and context file management.
policycoreutils-python – provides python core utilities for managing SELinux
policycoreutils – this package also provides utilities for managing SELinux.
mcstrans – mcstrans provides SELinux translation daemon, which translates various levels into easy formats which can be understood easily.
setools-console – similar to setools.
Selinux-policy – it provides a reference for configuring SELinux policy
Selinux-policy-targeted – similar to SELinux-policy
Libselinux-utils – SELinux libselinux utilities which help to manage SELinux
Setroubleshoot-server – tools for troubleshooting SELinux

To verify which packages are already installed on your system, you can use the rpm –qa command and pipe the result to grep for SELinux as:

rpm –qa | grep selinux
libselinux-utils-2.9-4.el8_3.x86_64
rpm-plugin-selinux-4.14.3-4.el8.x86_64
selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
python3-libselinux-2.9-4.el8_3.x86_64
selinux-policy-3.14.3-54.el8_3.2.noarch
libselinux-2.9-4.el8_3.x86_64

This should give you an output of all the packages installed for SELinux support

If not all the SELinux packages are installed on your system, use yum to install them as shown in the command below:

yum install policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

SELinux Modes and States

Let us now start playing with SELinux, specifically, SELinux modes.

SELinux Modes

When enabled, SELinux can be three possible modes:

Enforcing
Permissive
Disabled

Enforcing Mode

If SELinux mode to enforce, it will ensure that no unauthorized access to the system by any user or processes is denied. Enforcing mode also keeps logs of any attempts of unauthorized access.

Permissive Mode

Permissive mode acts like a partially enabled SELinux state. In this mode, no access is denied as SELinux does not enforce its policies in this mode. However, the permissive mode does keep a log of any policy violation attempts. This mode is very efficient for testing before enabling it fully as users and components can still interact with the system but still collecting logs. This allows you to fine-tune your system in ways you see fit.

Disabled Mode

The disabled mode can also be seen as a disabled state in which SELinux is disabled and does not offer any Security.

SELinux States

Once SELinux is installed on a system. It can have binary states: enabled and disabled. To view the state of SELinux, use the command:

getenforce
Disabled

The above output indicates that SELinux is currently disabled.

You can also use the sestatus command as shown below:

sestatus
SELinux status: disabled

Enable and Disable SELinux

States and configuration of SELinux are handled by the Configuration file located in /etc/selinux/config. You can use the cat command to view its contents.

cat /etc/selinux/config
#This file controls the state of SELinux on the system.
#SELINUX= can take one of these three values:
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - No SELinux policy is loaded.
SELINUX=enforcing
#SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

From the above output, we have two main directives enabled. The SELINUX directive specified the mode in which SELinux is configured. The SELINUXTYPE directive specifies the SELinux policy set. By default, SELinux uses a targeted policy that allows you to customize access control permissions. The other policy is Multilevel security or MLS.

You may find, minimum policy in some versions.

cd /etc/selinux/
[ls -l
total 4
-rw-r--r-- 1 root root 548 Feb 16 22:40 config
drwxr-xr-x 1 root root 4096 Feb 16 22:43 mls
-rw-r--r-- 1 root root 2425 Jul 21 2020 semanage.conf
drwxr-xr-x 1 root root 4096 Feb 16 22:40 targeted

Let us now see how to enable SELinux on the system. We recommend first set the SELINUX mode to permissive and not enforced.

nano /etc/selinux/config

Now edit the SELINUX directive as:

SELINUX=permissive

Once you save the file, issue a system reboot.

reboot

NOTE: We highly recommend setting the SELINUX directive to permissive before enforcing SELinux.

Once you reboot the system, check for any logs reported by SELinux in /var/log/messages.

Next, ensure you have no errors and enforce SELinux by setting the directive to enforce in /etc/selinux/config

Finally, you can view the SELinux status using the sestatus command:

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual(secure)
Max kernel policy version: 31

You can also use the setenforce command to switch between various SELinux modes. For example, to set the mode to permissive, use the command:

setenforce permissive

This mode is temporary and will be restored to one in the config file after a reboot.

sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual(secure)
Max kernel policy version: 31

SELinux Policy and Context

To avoid confusion for SELinux beginners, we will not dive deep into how SELinux policies are implemented but simply touch on it to give you an idea.

SELinux works by implementing security policies. An SELinux policy refers to a rule that is used to define access rights for every object in the system. Objects refer to users, processes, files, and roles.

Each context is defined in the form of the user:role:type:level.

For example, create a directory in your home directory and view its SELinux security context as shown in the commands below:

mkdir ~/linuxhint_dir
ls –Z ~/ | grep linuxhint

This will display output as shown below:

unconfined_u:object_r:user_home_t:s0 linuxhint_dir

You may also find other directories with the security contexts as:

system:_u:object_r:user_home_t:s0

You may realize the above output follows the syntax of the user:role:type:level.

Conclusion

That was a beginner’s tutorial to SELinux using CentOS 8. Although the tutorial is designed for beginners, it is more than enough to get your feet running in SELinux and remove the intimidating nature of SELinux.

Thank you for reading.