The Complete Guide to SELinux Administration
Introduction to SELinux
Security-Enhanced Linux (SELinux) is an advanced access control mechanism built into the Linux kernel. Unlike traditional Unix permissions, SELinux implements Mandatory Access Control (MAC), allowing fine-grained control over system resources and processes.
Basic Concepts (Level 100)
Understanding SELinux States
SELinux operates in three states:
# Check current SELinux state $ getenforce Enforcing # View detailed status $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing
The three possible states are:
- Enforcing – SELinux enforces policies and logs denials
- Permissive – Only logs denials without enforcing
- Disabled – Completely disabled
Basic Configuration
# Temporarily change SELinux state $ sudo setenforce 0 # Set to permissive $ sudo setenforce 1 # Set to enforcing # Permanently change SELinux state $ sudo vi /etc/selinux/config SELINUX=enforcing SELINUXTYPE=targeted
Understanding Contexts
SELinux labels everything with a context in the format:
user:role:type:level
Example commands to view contexts:
# View file contexts $ ls -Z /var/www/html/index.html system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html # View process contexts $ ps auxZ | grep httpd system_u:system_r:httpd_t:s0 apache 1234 0.0 0.2 123456 7890 ? Ss 10:00 0:00 /usr/sbin/httpd
Intermediate Concepts (Level 200)
Managing File Contexts
# List default file contexts $ semanage fcontext -l /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 # Add new file context $ sudo semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?" # Apply new context $ sudo restorecon -Rv /custom/path # Modify context temporarily $ sudo chcon -t httpd_sys_content_t /path/to/file
Managing SELinux Ports
# List port definitions $ semanage port -l | grep http http_port_t tcp 80, 443, 8080, 8443 # Add new port $ sudo semanage port -a -t http_port_t -p tcp 8081 # Delete port $ sudo semanage port -d -t http_port_t -p tcp 8081
Working with Booleans
Booleans are switches that modify SELinux behavior:
# List all booleans $ getsebool -a # View specific boolean $ getsebool httpd_can_network_connect httpd_can_network_connect --> off # Set boolean permanently $ sudo setsebool -P httpd_can_network_connect on
Advanced Concepts (Level 300)
Custom Policy Module Development
1. Create a basic policy module:
# Generate policy template from denials
$ sudo grep denied /var/log/audit/audit.log | audit2allow -M mypolicy
# Example policy content
module mypolicy 1.0;
require {
type httpd_t;
type custom_content_t;
class file { read getattr open };
}
allow httpd_t custom_content_t:file { read getattr open };
2. Compile and install the module:
# Compile policy $ checkmodule -M -m -o mypolicy.mod mypolicy.te # Create policy package $ semodule_package -o mypolicy.pp -m mypolicy.mod # Install policy $ sudo semodule -i mypolicy.pp
Advanced Troubleshooting
1. Analyze SELinux denials:
# Real-time denial monitoring $ sudo ausearch -m AVC -ts recent # Generate policy fixes $ sudo audit2allow -w -a # Detailed analysis $ sealert -a /var/log/audit/audit.log
2. Policy analysis tools:
# Search policy rules $ sesearch --allow | grep httpd_t # List policy modules $ semodule -l # Check domain transitions $ seinfo --domain httpd_t --transitions
[Content continues with remaining sections using the same HTML formatting pattern…]
Conclusion
SELinux is a powerful security framework that requires careful configuration and understanding. Key takeaways:
- Start with permissive mode during initial setup
- Use built-in tools for troubleshooting
- Develop custom policies only when necessary
- Regular monitoring and maintenance is crucial
- Document all policy changes and customizations
Additional Resources
- SELinux User’s and Administrator’s Guide
- Red Hat SELinux Documentation
- SELinux Project Wiki
- Fedora SELinux GuideFedora SELinux Guide
