SELinux stands for Security-Enhanced Linux. Its set of security modules/policies are going to apply on machine to increase the overall security of the server.In this modules has been loaded into kernel
while accessing files/services which improves security. This was came with RHEL5 and its more secure comparing to PAM and initd.
Models in SELinux:
Enforcing:
In this model policy has been enforced. It will enforce the policy strictly.
Permissive:
In this model SELinux will give warning, if SELinux policy settings breached.
Disabled:
In this model SELinux totally is disabled.
Levels in SELinux:
SELinux uses two levels.
Targeted – Targeted processes/services are protected by SELinux
Mls – Multi level security protection
Command to check the SELinux status:
[root@server ~]#getenforce permissive
Output will be “enabled” or “disbaled”
Command to check SELinux status in simplified way:
[root@server ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Command to check SELinux status in detailed:
[root@server ~]# sestatus -b SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Policy booleans: abrt_anon_write off abrt_handle_event off abrt_upload_watch_anon_write on antivirus_can_scan_system off antivirus_use_jit off auditadm_exec_content on authlogin_nsswitch_use_ldap off authlogin_radius off authlogin_yubikey off awstats_purge_apache_log_files off boinc_execmem on cdrecord_read_content off cluster_can_network_connect off cluster_manage_all_files off cluster_use_execmem off cobbler_anon_write off
How to disbale SELinux?
Using two ways will disable SELinux.
1. To disbale permanently will edit the /etc/selinux/config file and change the status from
enforce to disbaled
2. To disbale temporarily execute the below command
#echo 0 > /selinux/enforce
or
#setenforce 0
How to enable SELinux?
Same like above will enable SELinux using two ways
1. To enable permanently will edit the /etc/selinux/config file and change the status from
disbaled to enforce
2. To enable temporarily execute the below command
#echo 1 > /selinux/enforce
or
#setenforce 1
Command to list all the modules:
[root@server ~]# semodule -l abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm application
Command to enable a module:
in below command use -v key to show what this command was doing.
[root@server ~]# semodule -v -e application Attempting to enable module 'application': Ok: return value of 0. Committing changes: Ok: transaction number 0.
Command to disable a module:
[root@server ~]# semodule -v -d application Attempting to disable module 'application': Ok: return value of 0. Committing changes: