SELinux

 

SELinux

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system.

Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.

Should SELinux be enabled?
Developers often recommend disabling security like SELinux support to get software to work. ... And yes, disabling security features—like turning off SELinux—will allow software to run. All the same, don't do it! For those who don't use Linux, SELinux is a security enhancement to it that supports mandatory access controls.

How do I know if SELinux is enabled?
Is SELinux enabled on my system? To find out if SELinux is enabled on your system you can run sestatus. If the SELinux status says enforcing you are being protected by SELinux. If it says permissive SELinux is enabled but is not protecting you, and disabled means it is completely disabled.

Can we disable SELinux?
Disable SELinux

Security-Enhanced Linux, or SELinux, allows you to set access control through policies. ... If editing the config file, Open the /etc/selinux/config file (in some systems, the /etc/sysconfig/selinux file). Change the line SELINUX=enforcing to SELINUX=permissive . Save and close the file.

What does SELinux protect against?
Image result
SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons.

SELINUX STATES AND MODES

SELinux can run in one of three modes: disabled, permissive, or enforcing.
Disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.
Enforcing mode is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
Use the setenforce utility to change between enforcing and permissive mode. Changes made with setenforce do not persist across reboots. To change to enforcing mode, enter the setenforce 1 command as the Linux root user. To change to permissive mode, enter the setenforce 0 command. Use the getenforce utility to view the current SELinux mode:

• SELinux configuration file 

/etc/selinux/config

Editing  config file

[root@server1 ~]# vim /etc/selinux/config

Default:

Edit to disable

[root@server1 ~]# systemctl restart sshd