linux_config_selinux

SElinux or Security Enchanced linux is PAIN in the “buttom”. it is designed as military grade security for the US army. That being said if you have it enabled (default) you cannot configure pretty much anything on the software you install without changing the context of the SElinux.

So let's see how to disable and check for status:

SElinux has three modes: Enforcing Permissive Disabled

The first two are enabling the SElunix, while the last one totally disables it.

You can check if SElinux is currently enabled by issuing the following command:

Check SElinux

[root@************ redis]# getenforce
Enforcing

That means, that it is enabled and it is the highest priority. If you don't have requirement to have SElinux, I suggest to ALWAYS change the police to “Permissive” that means it will still monitor the access and yells at you when you violate it, but it won't stop your work.

Let's see how we can disable it:

To change the mode to Permissive and reverse, we can use the following command:

Change modes

[root@tbp-mts-redis01 redis]# setenforce 0 - Permissive
[root@tbp-mts-redis01 redis]# getenforce
Permissive
[root@tbp-mts-redis01 redis]# setenforce 1 - Enforcing
[root@tbp-mts-redis01 redis]# getenforce
Enforcing
[root@tbp-mts-redis01 redis]#

We cannot totally disable it while the Linux is working, we have to restart. Also bare in mind that any change (with setenforce) doesn't survive a restart. To disable it totally and/or to make our changes persistant, we have to modify the following file:

Persistant Change

[root@************** redis]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing  <- Change what you want here. This change will persist a restart.
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SElinux operates in contexts. But before we start checking the context of files and directories, we have to install the proper tools:

Install tools to manage SElinux

[root@tbp-mts-redis01 data]# yum install -y policycoreutils-python-utils
Last metadata expiration check: 0:27:48 ago on Tue 29 Sep 2020 11:30:40 CEST.
Dependencies resolved.
===========================================================================================================================================================================================
 Package                                                Architecture                     Version                                                    Repository                        Size
===========================================================================================================================================================================================
Installing:
 policycoreutils-python-utils                           noarch                           2.9-9.el8                                                  BaseOS                           251 k
Installing dependencies:
 checkpolicy                                            x86_64                           2.9-1.el8                                                  BaseOS                           348 k
 python3-audit                                          x86_64                           3.0-0.17.20191104git1c2f876.el8                            BaseOS                            86 k
 python3-libsemanage                                    x86_64                           2.9-2.el8                                                  BaseOS                           127 k
 python3-policycoreutils                                noarch                           2.9-9.el8                                                  BaseOS                           2.2 M
 python3-setools                                        x86_64                           4.2.2-2.el8                                                BaseOS                           601 k

Transaction Summary
===========================================================================================================================================================================================
Install  6 Packages

Total download size: 3.6 M
Installed size: 11 M
Downloading Packages:
(1/6): python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64.rpm                                                                                             64 kB/s |  86 kB     00:01
(2/6): policycoreutils-python-utils-2.9-9.el8.noarch.rpm                                                                                                   114 kB/s | 251 kB     00:02
(3/6): python3-libsemanage-2.9-2.el8.x86_64.rpm                                                                                                            139 kB/s | 127 kB     00:00
(4/6): checkpolicy-2.9-1.el8.x86_64.rpm                                                                                                                    146 kB/s | 348 kB     00:02
(5/6): python3-setools-4.2.2-2.el8.x86_64.rpm                                                                                                              176 kB/s | 601 kB     00:03
(6/6): python3-policycoreutils-2.9-9.el8.noarch.rpm                                                                                                        233 kB/s | 2.2 MB     00:09
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                      304 kB/s | 3.6 MB     00:12
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                   1/1
  Installing       : python3-setools-4.2.2-2.el8.x86_64                                                                                                                                1/6
  Installing       : python3-libsemanage-2.9-2.el8.x86_64                                                                                                                              2/6
  Installing       : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64                                                                                                              3/6
  Installing       : checkpolicy-2.9-1.el8.x86_64                                                                                                                                      4/6
  Installing       : python3-policycoreutils-2.9-9.el8.noarch                                                                                                                          5/6
  Installing       : policycoreutils-python-utils-2.9-9.el8.noarch                                                                                                                     6/6
  Running scriptlet: policycoreutils-python-utils-2.9-9.el8.noarch                                                                                                                     6/6
  Verifying        : checkpolicy-2.9-1.el8.x86_64                                                                                                                                      1/6
  Verifying        : policycoreutils-python-utils-2.9-9.el8.noarch                                                                                                                     2/6
  Verifying        : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64                                                                                                              3/6
  Verifying        : python3-libsemanage-2.9-2.el8.x86_64                                                                                                                              4/6
  Verifying        : python3-policycoreutils-2.9-9.el8.noarch                                                                                                                          5/6
  Verifying        : python3-setools-4.2.2-2.el8.x86_64                                                                                                                                6/6

Installed:
  checkpolicy-2.9-1.el8.x86_64               policycoreutils-python-utils-2.9-9.el8.noarch   python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64   python3-libsemanage-2.9-2.el8.x86_64
  python3-policycoreutils-2.9-9.el8.noarch   python3-setools-4.2.2-2.el8.x86_64

Complete!

That will give us the “semanage” command. Now there are 2 ways to manage the contaxt of a file or directory:

  1. Use chcon - temporary
  2. Use semanage & restorecon - permanent

So let's try it. Firstly we check the context as follows:

Check Context

~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

In this example, the SELinux context for file1 includes the SELinux unconfined_u user, object_r role, user_home_t type, and the s0 level. For a description of each part of the SELinux context here

To change it temporary we can use the following command:

Check Context

~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

Change the context temporary

~]# chcon -R -t httpd_sys_content_t /web/
~]# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/

Again, that is not a permanent change so we can restore it with restart OR using restorecon:

Restore the context

~]$ restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0

To change the context permanently we have to use the “semanage” as follows:

Change the context

~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web
~]# semanage fcontext -a -t httpd_sys_content_t "/web"
~]# restorecon -R -v /web
~]$ ls -dZ /web
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0/web
  • linux_config_selinux.txt
  • Last modified: 2021/05/18 15:07
  • by andonovj