This guide provides a brief and basic introduction to commonly used commands and practices for SELinux system administration. Note This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. The Linode kernel does not support SELinux by default. If your system is running a Linode kernel, you will need to change to an upstream kernel in order to use SELinux.
In this section, you will install various SELinux packages that will help you when creating, managing, and analyzing SELinux policies. Optionally, install setroubleshoot-server and mctrans. The setroubleshoot-server allows, among many other things, for email notifications to be sent from the server to notify you of any policy violations. When SELinux is installed on your system, it can be either enabled or disabled.
Connect to your Linode via SSH replace In enforcing mode, SELinux enforces its policies on your system and denies access based on those policies. Use the following command to view SELinux policy modules currently loaded into memory:. However, you can use audit logs and system messages to understand what would be restricted in enforcing mode. Use the sealert utility to generate a report from your audit log. The log will include information about what SELinux is preventing and how to allow the action, if desired.
DV - Google ad personalisation. These cookies use an unique identifier to verify if a visitor is human or a bot. Need help? Our experts have had an average response time of We will keep your servers stable, secure, and fast at all times for one fixed price.
We can help you. To understand DAC, let us first consider how traditional Linux file security works. Installing Apache and SFTP Services First, log in to the server as the root user and run the following command to install Apache: yum install httpd And then start the daemon manually using the following command: service httpd start Next, we will install vsftp: yum install vsftpd 2.
Here is a list of Red Hat-based distributions: 1. Enforcing 2. Permissive 3. Disabled In enforcing mode SELinux will enforce its policy on the Linux system and ensure to deny all unauthorized access attempts by users and processes. In the disabled mode, the system will not be running with enhanced security. Only selected processes are protected. Aug 20 localhost kernel: SELinux: Initializing. Aug 20 localhost kernel: SELinux: Disabled at runtime.
Next, reboot the server again using the following command: reboot Once the server is back online, we can run the sestatus command to check the SELinux status. And the output will look like the following: Aug 20 localhost kernel: SELinux: Initializing. Aug 20 localhost systemd[1]: Successfully loaded SELinux policy in In this tutorial, we will be running the commands as the root user unless otherwise stated.
In a traditional security model, we have three entities: User, Group, and Other u,g,o who can have a combination of Read, Write, and Execute r,w,x permissions on a file or directory. Now jo can change this access. Consider another case: when a Linux process runs, it may run as the root user or another account with superuser privileges.
That means if a black-hat hacker takes control of the application, they can use that application to get access to whatever resource the user account has access to. For processes running as the root user, basically this means everything in the Linux server. Think about a scenario where you want to restrict users from executing shell scripts from their home directories. This can happen when you have developers working on a production system. How do you do that?
SELinux is a way to fine-tune such access control requirements. With SELinux, you can define what a user or process can do. It confines every process to its own domain so the process can interact with only certain types of files and other processes from allowed domains.
This prevents a hacker from hijacking any process to gain system-wide access. To help us learn the concepts, we will build a test server running both a web and an SFTP server. We will start with a bare installation of CentOS 7 with minimal packages installed and install the Apache and vsftp daemons on that server.
However, we will not configure either of these applications. We will also create a few test user accounts in our cloud server. We will use these accounts in different places throughout the lesson. Finally, we will install needed SELinux-related packages. This is to ensure we can work with the latest SELinux commands.
Next, we will use the service vsftpd start command to start the vsftpd daemon. The output should show something like the following:. A number of packages are used in SELinux. Some are installed by default. Here is a list for Red Hat-based distributions:. Some of these are installed already. To check what SELinux packages are installed on your CentOS 7 system, you can run a few commands like the one below with different search terms after grep as the root user:.
You can go ahead and install all the packages with the command below yum will just update any you already have , or just the ones that you find missing from your system:. We also have four regular user accounts ready for testing in addition to the root account.
At any one time, SELinux can be in any of three possible modes:. In enforcing mode SELinux will enforce its policy on the Linux system and make sure any unauthorized access attempts by users and processes are denied. The access denials are also written to relevant log files.
We will talk about SELinux policies and audit logs later. Permissive mode is like a semi-enabled state. However any policy violation is still logged in the audit logs. We can run the following command to view its contents:. There are two directives in this file. The default value is targeted. With a targeted policy, SELinux allows you to customize and fine tune access control permissions.
Also with MLS, you need to install an additional package. It gives you fine control over all programs and daemons on their activities like communicating with out side programs or controlling whether to establish a outside connections for a particular program. The above command will report the current status of SELinux. Whether SELinux is enforcing, permissive, or disabled. If it is already disabled.
0コメント