Steve Young - Fotolia
The NSA originally developed Security-Enhanced Linux (SELinux) as a set of Linux kernel patches that used Linux Security Modules to implement mandatory access controls within the Linux kernel.
Through security policies, SELinux defines access controls for applications, processes and files. When an application or process attempts to access an object (such as a file), SELinux runs a check against the Access Vector Cache. If everything checks out, SELinux grants permission to the object. If the check fails, the system denies access.
SELinux is a fairly complex system and can cause problems for Linux system admins. However, if you understand a few SELinux commands, you can mitigate these headaches.
Set SELinux status
The first command to know is how to set an SELinux status. The command for this is setenforce. With this command, you can change the SELinux status from any one of the following:
- disabled: SELinux is disabled
- permissive: SELinux prints warnings instead of enforcing policies
- enforcing: SELinux enforces security policies
To find out the current status of SELinux, issue the sudo sestatus command.
You should see a line printed out like:
SELinux Status STATUS
Where STATUS is either enabled or disabled.
Another line you should see is:
Current mode: MODE
Here, MODE is either disabled, permissive or enforcing.
Another way of viewing the status of SELinux is to issue the getenforce command.
If you decide to set the SELinux status to disabled, you'd issue the command:
sudo setenforce disabled
To set the status to permissive, the command would be:
sudo setenforce permissive
Finally, to set the status to enforcing, the command would be:
sudo setenforce enforcing
Once you've changed the status, you must then reboot the machine for the change to take effect.
There's one caveat to this SELinux command. If you set the SELinux status to disable, the only way to enable it again is to open the necessary configuration file and manually change the status to either permissive or enforcing.
To open the file for editing, issue the sudo nano /etc/selinux/config command.
Then, change the line:
Once you've made the change, reboot the machine.
There are reasons to use the permissive option. With permissive mode active, SELinux monitors processes, but won't prevent them from accessing files and directories.
The main benefit of SELinux in permissive mode is that the OS gives you clues as to why something is not working correctly. When this happens, you might have to grant access to a file or directory with the help of two very important commands.
Give access to a file or directory
On production machines, you should set SELinux to enforcing mode. When you disable SELinux, you're disabling a major security control on your system.
But when you have SELinux enabled, there might be problems when an application doesn't have the necessary access to a file so that the application in question can run.
Let's say you have a web server but decide to serve up the content from a directory outside of the usual /var/www. You can configure Apache or Nginx to support this data transfer, but SELinux might not allow your server access to the files within that non-standard directory.
For example, the directory you might choose to use is /srv/www. The problem is, SELinux doesn't know about this alternate directory, so it won't allow permissions. To instruct SELinux to allow access to the /srv/www directory, you must apply a new context to the corresponding SELinux command. You can use the semanage command like so:
sudo semanage fcontext -a -t httpd_sys_content_t '/srv/www(/.*)?'
The above command adds a new file context (using the -a option) of the type httpd_sys_content_t within the /srv/www/ directory.
You must then use the restorecon to relabel and set the appropriate context on the directory. This command sets default contexts on files and directories, according to SELinux policy.
To use the restorecon on /srv/www, issue the command:
sudo restorecon -Rv /srv/www
Once you've taken care of this, Apache can then serve up content from the /srv/www directory, because the web server has the right to read httpd_sys_content_t files and /srv/www/ has been correctly labeled.
Check for any SELinux file problems
SELinux includes a handy prompt to help you check for issues. That tool is fixfiles, which you can use to reset application file contexts. The fixfiles command has three options:
- check: Shows any file-related objects with a mismatched security context
- restore: Relabels any file-related objects with a mismatched security context
- relabel: Similar to restore but can optionally remove files in the /tmp directory before running the check and restore
To run a check on your system, issue the sudo fixfiles check command.
This SELinux command prints out quite a lot of information. Within that information, look for Would relabel statements and other warnings. Should you see any relabel statements or other warnings, you can fix those with the sudo fixfiles restore command.
Depending on how many issues fixfiles finds, this process could take some time. Allow the command to complete and, once it's done, rerun the sudo fixfiles command; any warnings should be gone.
Other useful SELinux commands
chcon: labels file(s) with a specified security context
checkpolicy: compiles policy sources into a binary policy file. Generally, it is not called directly, but a policy’s makefile invokes the command.
newrole: switches admin roles. It is often issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.
getsebool: displays SELinux boolean conditions
setsebool: sets SElinux boolean conditions