Security-Enhanced Linux (SELinux) is a powerful security mechanism that provides mandatory access control (MAC) for Linux systems. This guide will help you configure SELinux on AlmaLinux to enhance your systemβs security posture.
Prerequisites
Before starting, ensure you:
- Are logged in as root or have sudo privileges
- Have a basic understanding of Linux permissions
- Have SELinux packages installed
Install SELinux if not already present:
sudo dnf install selinux-policy selinux-policy-targeted -y
Understanding SELinux Modes
SELinux operates in three modes:
1. Enforcing Mode
- Policies are enforced and violations are logged
- Recommended for production systems
- Provides maximum security
2. Permissive Mode
- Policies are not enforced but violations are logged
- Useful for troubleshooting
- Good for testing new policies
3. Disabled Mode
- SELinux is completely turned off
- Not recommended for security reasons
- Should only be used if absolutely necessary
Checking SELinux Status
Check the current SELinux status:
sestatus
This command displays:
- SELinux status (enabled/disabled)
- Current mode
- Policy version
- File contexts status
Changing SELinux Modes
Temporary Changes
Set to Enforcing mode:
sudo setenforce 1Set to Permissive mode:
sudo setenforce 0
Permanent Changes
Edit the SELinux configuration file:
sudo nano /etc/selinux/configModify the SELINUX line:
# Options: enforcing, permissive, disabled
SELINUX=enforcingReboot for changes to take effect:
sudo rebootWorking with SELinux Contexts
View File Contexts
ls -Z /var/www/html/Change File Context
sudo chcon -t httpd_sys_content_t /var/www/html/index.htmlRestore Default Context
sudo restorecon -v /var/www/html/index.htmlMake Context Changes Permanent
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
sudo restorecon -Rv /webManaging SELinux Booleans
List All Booleans
getsebool -aCheck Specific Boolean
getsebool httpd_can_network_connectSet Boolean Temporarily
sudo setsebool httpd_can_network_connect onSet Boolean Permanently
sudo setsebool -P httpd_can_network_connect onCommon SELinux Troubleshooting
Using audit2why
Analyze SELinux denials:
sudo ausearch -m AVC -ts recent | audit2whyUsing audit2allow
Generate policy modules from denials:
sudo ausearch -m AVC -ts recent | audit2allow -M mymodule
sudo semodule -i mymodule.ppCheck SELinux Logs
sudo tail -f /var/log/audit/audit.log | grep AVCSELinux for Common Services
Apache/HTTPD
Allow Apache to connect to network:
sudo setsebool -P httpd_can_network_connect onAllow Apache to send mail:
sudo setsebool -P httpd_can_sendmail onMySQL/MariaDB
Set proper context for custom data directory:
sudo semanage fcontext -a -t mysqld_db_t "/data/mysql(/.*)?"
sudo restorecon -Rv /data/mysqlSSH
Allow SSH on non-standard port:
sudo semanage port -a -t ssh_port_t -p tcp 2222Creating Custom SELinux Policies
Generate Policy from Log
grep httpd /var/log/audit/audit.log | audit2allow -M httpd_custom
sudo semodule -i httpd_custom.ppView Installed Modules
sudo semodule -lRemove a Module
sudo semodule -r httpd_customBest Practices
- Always run in Enforcing mode in production
- Use Permissive mode only for troubleshooting
- Never disable SELinux unless absolutely necessary
- Regular monitoring of audit logs
- Document all policy changes
- Test in staging before applying to production
Monitoring and Alerting
Set up Log Monitoring
sudo aureport -avcEmail Alerts for Denials
Create a script for automated alerts:
#!/bin/bash
ausearch -m AVC -ts recent | mail -s "SELinux Denials" [email protected]Conclusion
SELinux is a powerful security feature that significantly enhances the security of your AlmaLinux system. While it may seem complex initially, proper configuration and understanding of SELinux contexts, booleans, and policies will help you maintain a secure environment without sacrificing functionality.
Remember to always test changes in a non-production environment first, and keep SELinux in Enforcing mode for maximum security benefits.
