What is SELinux?

SELinux stands for Security-Enhanced Linux. Its set of security modules/policies are going to apply on machine to increase the overall security of the server.In this modules has been loaded into kernel
while accessing files/services which improves security. This was came with RHEL5 and its more secure comparing to PAM and initd.

Models in SELinux:

Enforcing:
In this model policy has been enforced. It will enforce the policy strictly.

Permissive:
In this model SELinux will give warning, if SELinux policy settings breached.

Disabled:
In this model SELinux totally is disabled.

Levels in SELinux:
SELinux uses two levels.
Targeted – Targeted processes/services are protected by SELinux
Mls – Multi level security protection

Command to check the SELinux status:

[root@server ~]#getenforce
permissive

Output will be “enabled” or “disbaled”

Command to check SELinux status in simplified way:

[root@server ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

 

Command to check SELinux status in detailed:

[root@server ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Policy booleans:
abrt_anon_write off
abrt_handle_event off
abrt_upload_watch_anon_write on
antivirus_can_scan_system off
antivirus_use_jit off
auditadm_exec_content on
authlogin_nsswitch_use_ldap off
authlogin_radius off
authlogin_yubikey off
awstats_purge_apache_log_files off
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cluster_manage_all_files off
cluster_use_execmem off
cobbler_anon_write off

How to disbale SELinux?

Using two ways will disable SELinux.

1. To disbale permanently will edit the /etc/selinux/config file and change the status from
enforce to disbaled

 

2. To disbale temporarily execute the below command

 #echo 0 > /selinux/enforce

or

 #setenforce 0

How to enable SELinux?

Same like above will enable SELinux using two ways

1. To enable permanently will edit the /etc/selinux/config file and change the status from
disbaled to enforce

2. To enable temporarily execute the below command

 #echo 1 > /selinux/enforce

or

 #setenforce 1

 

Command to list all the modules:

[root@server ~]# semodule -l
abrt
accountsd
acct
afs
aiccu
aide
ajaxterm
alsa
amanda
amtu
anaconda
antivirus
apache
apcupsd
apm
application

Command to enable a module:

in below command use -v  key to show what this command was doing.

[root@server ~]# semodule -v -e application
Attempting to enable module 'application':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.

Command to disable a module:

[root@server ~]# semodule -v -d application
Attempting to disable module 'application':
Ok: return value of 0.
Committing changes:

 

Leave a Reply

Your email address will not be published. Required fields are marked *