+
+
micronaut
postgres
firebase
Ο€
android
+
c++
+
cypress
bbedit
raspbian
macos
+
+
suse
+
terraform
tf
alpine
haiku
d
+
+
dart
+
+
+
pycharm
hack
∞
rails
haskell
+
echo
+
css
dart
+
jquery
vscode
||
tls
mysql
+
+
html
netlify
Ο€
βˆ‘
couchdb
+
+
+=
+
scala
actix
+
+
+
+
+
+
+
+
+
+
+
clion
||
+
oauth
+
+
+
+
+
tcl
qwik
+
+
+
mvn
+
fiber
couchdb
+
+
Back to Blog
Configuring SELinux for AlmaLinux Security
AlmaLinux Linux Security

Configuring SELinux for AlmaLinux Security

Published Dec 17, 2023

Secure AlmaLinux with ease! Learn how to set up SELinux for stronger protection. Simple steps, powerful defense. Your system, your safety. πŸš€πŸ”’

4 min read
0 views
Table of Contents

Security-Enhanced Linux (SELinux) is a powerful security mechanism that provides mandatory access control (MAC) for Linux systems. This guide will help you configure SELinux on AlmaLinux to enhance your system’s security posture.

Prerequisites

Before starting, ensure you:

  • Are logged in as root or have sudo privileges
  • Have a basic understanding of Linux permissions
  • Have SELinux packages installed

Install SELinux if not already present:

sudo dnf install selinux-policy selinux-policy-targeted -y

SELinux Installation

Understanding SELinux Modes

SELinux operates in three modes:

1. Enforcing Mode

  • Policies are enforced and violations are logged
  • Recommended for production systems
  • Provides maximum security

2. Permissive Mode

  • Policies are not enforced but violations are logged
  • Useful for troubleshooting
  • Good for testing new policies

3. Disabled Mode

  • SELinux is completely turned off
  • Not recommended for security reasons
  • Should only be used if absolutely necessary

Checking SELinux Status

Check the current SELinux status:

sestatus

SELinux Status Check

This command displays:

  • SELinux status (enabled/disabled)
  • Current mode
  • Policy version
  • File contexts status

Changing SELinux Modes

Temporary Changes

Set to Enforcing mode:

sudo setenforce 1

Set to Permissive mode:

sudo setenforce 0

SELinux Mode Changes

Permanent Changes

Edit the SELinux configuration file:

sudo nano /etc/selinux/config

Modify the SELINUX line:

# Options: enforcing, permissive, disabled
SELINUX=enforcing

Reboot for changes to take effect:

sudo reboot

Working with SELinux Contexts

View File Contexts

ls -Z /var/www/html/

Change File Context

sudo chcon -t httpd_sys_content_t /var/www/html/index.html

Restore Default Context

sudo restorecon -v /var/www/html/index.html

Make Context Changes Permanent

sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
sudo restorecon -Rv /web

Managing SELinux Booleans

List All Booleans

getsebool -a

Check Specific Boolean

getsebool httpd_can_network_connect

Set Boolean Temporarily

sudo setsebool httpd_can_network_connect on

Set Boolean Permanently

sudo setsebool -P httpd_can_network_connect on

Common SELinux Troubleshooting

Using audit2why

Analyze SELinux denials:

sudo ausearch -m AVC -ts recent | audit2why

Using audit2allow

Generate policy modules from denials:

sudo ausearch -m AVC -ts recent | audit2allow -M mymodule
sudo semodule -i mymodule.pp

Check SELinux Logs

sudo tail -f /var/log/audit/audit.log | grep AVC

SELinux for Common Services

Apache/HTTPD

Allow Apache to connect to network:

sudo setsebool -P httpd_can_network_connect on

Allow Apache to send mail:

sudo setsebool -P httpd_can_sendmail on

MySQL/MariaDB

Set proper context for custom data directory:

sudo semanage fcontext -a -t mysqld_db_t "/data/mysql(/.*)?"
sudo restorecon -Rv /data/mysql

SSH

Allow SSH on non-standard port:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Creating Custom SELinux Policies

Generate Policy from Log

grep httpd /var/log/audit/audit.log | audit2allow -M httpd_custom
sudo semodule -i httpd_custom.pp

View Installed Modules

sudo semodule -l

Remove a Module

sudo semodule -r httpd_custom

Best Practices

  1. Always run in Enforcing mode in production
  2. Use Permissive mode only for troubleshooting
  3. Never disable SELinux unless absolutely necessary
  4. Regular monitoring of audit logs
  5. Document all policy changes
  6. Test in staging before applying to production

Monitoring and Alerting

Set up Log Monitoring

sudo aureport -avc

Email Alerts for Denials

Create a script for automated alerts:

#!/bin/bash
ausearch -m AVC -ts recent | mail -s "SELinux Denials" [email protected]

Conclusion

SELinux is a powerful security feature that significantly enhances the security of your AlmaLinux system. While it may seem complex initially, proper configuration and understanding of SELinux contexts, booleans, and policies will help you maintain a secure environment without sacrificing functionality.

Remember to always test changes in a non-production environment first, and keep SELinux in Enforcing mode for maximum security benefits.