What is SELinux in Red Hat
What is SELinux in Red Hat
SELinux stands for Security enhance linux, selinux is an additional layer of security in Linux operating system. SELinux is use to protect the data of system services, therefore never disable or configure SELinux into permissive mode. SELinux is a set of rule that it is use to secure the Linux operating system processes, directories, files and ports. SELinux have a security lable on process, files and ports that is called SELinux context. The context are user, role, type and sensitivity. Lets take an example of context, for example the web server "apache". The context end with _t, in linux web server (apache) SELinux context is httpd_t and linux web server apache files and directories available in /var/www/html that context is httpd_sys_content_t. The linux web server (apache) port SElinux type context is httpd_port_t. For Linux web server (apache), selinux have a policy rule to allow file and directories with context in /var/www/html. if file and directories (httpd_sys_content_t) of Linux web server
(apache) available in another directory so SELinux have no policy rule for that, you must create a SELinux policy rule to allow Linux web server (apache) to access the file and directory.
SELinux Modes:
Enforcing Mode: In this mode SELinux is not allow the application to access in a network until allow.
In this mode SELinux is protect the data by use of policy rule that may be compromise. In this mode SELinux also logs the activity.
Permissive Mode: In this mode SELinux is allow the application to access in a network without policy rule. In this mode SELinux collect only logs of those activity where policy rules violations are occur
for troubleshooting the issue. If SELinux is configure from enforcing mode to permissive mode, machine reboot is not require or vice versa. SELinux in permisive mode is better as compare to disable it completely because in this mode kernel will automatically maintain SELinux file system lable.
Disable Mode: In this mode the fuction of SELinux is totally disable. The system is require reboot when SELinux is configure from Enforcing Mode or Permissive Mode to Disable Mode, or vice versa.
To check the SELinux mode on the Linux operating system, type the below mention command.
getenforce
SELinux Booleans:
In SELinux, selinux booleans are a policy rules that that either enable or disable. SELinux Booleans changes the behaviours of SELinux. To list the SELinux Boolean with value, type the below mention command.
getsebool -a
For temporary change the SELinux mode from enforcing mode to permissive mode, type the below mention command. if Linux machine is reboot for any reason, the SELinux mode will revert from permissive mode to enforcing mode due to temporary change.
setenforce 0
For permanent change SELinux mode, use the configuration file "config" of SELinux that available in directory "/etc/selinux/config". You can use vi editor for change or edit the file.
vi /etc/selinux/config
To change the context of SELinux, you can use the commands "chcon" and "restorecon". The command "chcon" is use to change the file context to the context specified as an argument to the command. The command "restorecon" is also use to change the context of file and directory, command "restorecon" is preferrable command as compare to command "chcon" for change the context of file and directory.
Create a directory "owais" by use of mkdir command, type the below mention command.
mkdir /owais
Here we are taking the scenario of Linux web server "apache" regarding SELinux, the files and folders default location of Linux web server "apache" is "/var/www/html". To change files and folders default location of Linux web server "apache", change default path in the below mention file. For example directory "/owais" will new default path of Linux web server "apache".
vi /etc/httpd/conf/httpd.conf
Replace the default location of Linux web server "apache" from "/var/www/html" to "/owais" on two place in file "/etc/httpd/conf/httpd.conf".To check the directory "/owais" on configuration file, type the below mention command.
grep owais /etc/httpd/conf/httpd.conf
Then, define a SELinux file context rule that sets the context type to httpd_sys_content_t for /owais and all the file inside it.
semanage fcontext -a -t httpd_sys_content_t '/owais(/.*)?'
Then, use restorecon to change their context, type the below mention command.
restorecon -Rv /owais
To allow the boolean value of Linux web server apache permanantly, type the below mention command.
setsebool -P httpd_enable_homedirs on
To verify the boolean value of Linux web server apache is "on" switch, type the below mention command.
getssebool httpd_enable_homedirs
outcome
httpd_enable_homedirs --> on
semanage boolean -l | grep httpd_enable_homdirs
outcome
httpd_enable_homedirs (on , on) Allow httpd_enable_homedirs
Create a index.html file in directory "/owais" and edit some text, type the below mention command.
touch /owais/index.html
Open a web browser, type the below mention url to verify Linux web server "apache is working".
http://localhost/index.html
If you want use directory "/owais" for Linux web server apache with default settings and configurations, apply below mention steps.
Create a file context that will set default type to httpd_sys_content_t for directory "/owais".
semanage fcontext -a -t httpd_sys_content_t '/owais'
use the restorecon command to set the SELinux context for the files in directory "/owais".
restorecon -R /owais
Create a index.html file in directory "/owais" and edit some text, type the below mention command.
touch /owais/index.html
Verify the Apache server web content, type the below mention URL on web browser.
http://localhost/owais/index.html
Troubleshooting and Monitoring SELinux:
To monitor the SELinux violation install package "setroubleshoot-server". Due to installation of package "setroubleshoot-server", a short message is send to directory "/var/log/message" that first listen in the directory "/var/log/audit/audit.log".In this short messages UUID is generate, for more information use "sealert -l UUID" to generate a reportt of specific incident.
Thanks for Read This Article
Comments
Post a Comment