SELinux is a mandatory access control system designed for Linux. Troubleshooting SELinux can be complex but knowing how to place it in permissive mode while acquiring logs of SELinux policy violations for troubleshooting purposes will save a great deal of time.
- Before we can talk about SELinux security context, we need to cover a few terms first. SELinux is a mandatory access control system, which is layered over the top of the built in discretionary access control. Mandatory access control provides a system wide list of rules that determines access control without regard to ownership. Discretionary access control, however, is based off of who owns a resource. If they own it, they get to determine who gets to access it. It's at the owner's discretion. A subject is a user or process.
An object is a resource such as a file, directory, device, pipe or other. Access is the action performed by the subject on an object such as read, write or create. The security policy is the system-wide set of rules defining what the subjects can do to the objects. There are two policies to choose from at Enterprise Linux - targeted and strict. Targeted is the default. The security context or label is the tags that SELinux stores for subjects and objects. All subjects and objects will have a security context.
Type enforcement is the default type of mandatory access control used on Enterprise Linux. There's also role based access control and multi level security, all of which are part of SELinux. In type enforcement, all subjects and objects belong to groups called types. Roles in the security policy determine which types can access other types. SELinux has several operating modes. Enforcing mode, where security policy is being enforced. Permissive mode, where the policy is consulted and messages are printed, but the policy is not enforced.
And lastly, disabled, which is just that; SELinux is turned off and no mandatory access control system is in place. I do not recommend turning SELinux off. Note that there are times when having SELinux set to permissive mode still denies a subject access to an object, but usually that's not a problem. Let's start by getting the current SELinux mode. Type into a terminal: sestatus and hit enter. This shows we're using the targeted policy and is being enforced. Another command that we can use to get this information is getenforce.
We can alter the SELinux mode in real time by using setenforce. Type in sudo, space, setenforce space, permissive, and hit enter. We can verify this by using getenforce. We can now see that we're in permissive mode. This change, however, is temporary and if we want it to survive a reboot we'd have to edit the slash etc slash selinux slash config file and reboot. Type in sudo, space, vi, space, slash etc slash selinux slash config, then hit enter.
If we wanted to change SELinux into permissive mode, we'd change SELinux equals enforcing to SELinux equals permissive. Then, we'd save the file and reboot the system. I'm going to keep mine in enforcing mode and just leave the editor. Also, if you want to disable SELinux altogether, it cannot be done live. This configuration file needs to be edited and the system has to be rebooted.
Author
Released
8/31/2017Instructor Grant McWilliams covers network and internet services administration, kernel management, and intrusion prevention. He shows how to make your systems more efficient with virtualization, manage users and groups, and lock everything down with SELinux mandatory access control. Plus, get access to 25 PDF "cheat sheets" and 100 practice questions so you can solidify and test your knowledge.
- Installing Linux on a physical machine
- Managing systemd services
- Managing reoccurring jobs with cron
- Limiting system access
- Configuring networking
- Creating, editing, and moving files and directories
- Analyzing text with grep and regular expressions
- Installing software and packages
- Managing the kernel
- Managing users, accounts, and groups
- Setting permissions
- Using access control lists
- Securing Linux with SELinux
- Accessing Linux remotely
- Configuring local storage
Skill Level Intermediate
Duration
Views
Related Courses
-
Setting Up a Red Hat Enterprise Linux Server
with Sandra Toner2h 46m Intermediate -
Linux: Desktops and Remote Access
with Grant McWilliams1h 44m Intermediate
-
Introduction
-
Welcome57s
-
What you should know3m 45s
-
About Red Hat Certifications2m 52s
-
-
1. Deploy Systems
-
Managing virtual machines6m 42s
-
2. System Config and Services
-
Get systemd service status3m 56s
-
Manage systemd services2m 33s
-
Configure networking3m 52s
-
Manage one-time jobs with at4m 16s
-
3. Essential Tools
-
Archive files using tar4m 40s
-
Compress files and archives4m 14s
-
Create files and directories5m 18s
-
Copy files and directories5m 48s
-
Move files and directories4m 59s
-
Create hard and soft links4m 55s
-
Introduction to vim3m 33s
-
Editing text with vim2m 45s
-
Reading the system journal3m 26s
-
4. Manage System Software
-
Query with RPM7m 14s
-
RPM query formatting6m 5s
-
Overview of yum2m 20s
-
Get info on package groups5m 15s
-
Search for packages1m 47s
-
Install and remove packages6m 59s
-
Manage OS updates6m 48s
-
Update the kernel4m 29s
-
Manage kernel modules5m 18s
-
5. Users and Accounts
-
Modify local user accounts4m 57s
-
6. File Access Control
-
File and directory modes1m 19s
-
Read access control lists3m 36s
-
Set access control lists5m 49s
-
Delete access control Lists4m 15s
-
-
7. Manage Security
-
Manage firewalls3m 15s
-
8. Accessing Linux Remotely
-
Configure Secure Shell2m 36s
-
-
9. Configure Local Storage
-
Conclusion
-
Next steps1m 20s
-
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.
CancelTake notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Set enforcing and permissive modes for SELinux