Security-Enhanced Linux (SELinux) is a powerful security mechanism that provides mandatory access control (MAC) for Linux systems. This guide will help you configure SELinux on AlmaLinux to enhance your systemβs security posture.
Prerequisites
Before starting, ensure you:
- Are logged in as root or have sudo privileges
- Have a basic understanding of Linux permissions
- Have SELinux packages installed
Install SELinux if not already present:
sudo dnf install selinux-policy selinux-policy-targeted -y
Understanding SELinux Modes
SELinux operates in three modes:
1. Enforcing Mode
- Policies are enforced and violations are logged
- Recommended for production systems
- Provides maximum security
2. Permissive Mode
- Policies are not enforced but violations are logged
- Useful for troubleshooting
- Good for testing new policies
3. Disabled Mode
- SELinux is completely turned off
- Not recommended for security reasons
- Should only be used if absolutely necessary
Checking SELinux Status
Check the current SELinux status:
sestatus
This command displays:
- SELinux status (enabled/disabled)
- Current mode
- Policy version
- File contexts status
Changing SELinux Modes
Temporary Changes
Set to Enforcing mode:
sudo setenforce 1
Set to Permissive mode:
sudo setenforce 0
Permanent Changes
Edit the SELinux configuration file:
sudo nano /etc/selinux/config
Modify the SELINUX line:
# Options: enforcing, permissive, disabled
SELINUX=enforcing
Reboot for changes to take effect:
sudo reboot
Working with SELinux Contexts
View File Contexts
ls -Z /var/www/html/
Change File Context
sudo chcon -t httpd_sys_content_t /var/www/html/index.html
Restore Default Context
sudo restorecon -v /var/www/html/index.html
Make Context Changes Permanent
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
sudo restorecon -Rv /web
Managing SELinux Booleans
List All Booleans
getsebool -a
Check Specific Boolean
getsebool httpd_can_network_connect
Set Boolean Temporarily
sudo setsebool httpd_can_network_connect on
Set Boolean Permanently
sudo setsebool -P httpd_can_network_connect on
Common SELinux Troubleshooting
Using audit2why
Analyze SELinux denials:
sudo ausearch -m AVC -ts recent | audit2why
Using audit2allow
Generate policy modules from denials:
sudo ausearch -m AVC -ts recent | audit2allow -M mymodule
sudo semodule -i mymodule.pp
Check SELinux Logs
sudo tail -f /var/log/audit/audit.log | grep AVC
SELinux for Common Services
Apache/HTTPD
Allow Apache to connect to network:
sudo setsebool -P httpd_can_network_connect on
Allow Apache to send mail:
sudo setsebool -P httpd_can_sendmail on
MySQL/MariaDB
Set proper context for custom data directory:
sudo semanage fcontext -a -t mysqld_db_t "/data/mysql(/.*)?"
sudo restorecon -Rv /data/mysql
SSH
Allow SSH on non-standard port:
sudo semanage port -a -t ssh_port_t -p tcp 2222
Creating Custom SELinux Policies
Generate Policy from Log
grep httpd /var/log/audit/audit.log | audit2allow -M httpd_custom
sudo semodule -i httpd_custom.pp
View Installed Modules
sudo semodule -l
Remove a Module
sudo semodule -r httpd_custom
Best Practices
- Always run in Enforcing mode in production
- Use Permissive mode only for troubleshooting
- Never disable SELinux unless absolutely necessary
- Regular monitoring of audit logs
- Document all policy changes
- Test in staging before applying to production
Monitoring and Alerting
Set up Log Monitoring
sudo aureport -avc
Email Alerts for Denials
Create a script for automated alerts:
#!/bin/bash
ausearch -m AVC -ts recent | mail -s "SELinux Denials" [email protected]
Conclusion
SELinux is a powerful security feature that significantly enhances the security of your AlmaLinux system. While it may seem complex initially, proper configuration and understanding of SELinux contexts, booleans, and policies will help you maintain a secure environment without sacrificing functionality.
Remember to always test changes in a non-production environment first, and keep SELinux in Enforcing mode for maximum security benefits.