What is SELinux and How to Setup in Linux - Cloud Network

Cloud Network

Networking | Support | Tricks | Troubleshoot | Tips

  •

    • Buymecoffe

    Buy Me A Coffee

    Wednesday, September 3, 2014

    Home Redhat Linux What is SELinux and How to Setup in Linux

    What is SELinux and How to Setup in Linux

    SELinux, Iptables

    ###SELinux Intro###
     Features:
      1. Restricts access by subjects (users and/or processes) to objects (files)
      2. Provides Mandatory Access Controls (MACs)
      3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))
      4. Stores MAC permissions in extended attributes of file systems
      5. SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
      6. SELinux is integrated into the Linux kernel
      7. Implements sandboxes for subjects and objects
      8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
      9. SELinux is implemented/enabled by RH5, by default
     10. Operates in the following modes:
       a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
       b. Enforcing - strictly enforces 'targeted' policy rules
       c. Disabled - Only DACs are applied
      11. Operating modes can be applied upon startup or while the system is running

    SELinux Config files & Tools:
     1. sestatus - displays current SELinux status, including:
      a. policy name 'targeted'
      b. policy version '21'
      c. Operating mode: 'enforcing|permissive|disabled'

     2. /etc/sysconfig/selinux - primary startup|config file for SELinux
     3. /etc/selinux/targeted - top-level container for the 'targeted' policy
     4. setenforce = 0(permissive) 1(enforcing)
     5. '-Z' can be applied to the following tools to obtain SELinux context info:
      a. mv, cp, ls, ps, id
     6. chcon -R -t type file - applies SELinux label to file/directory

    Tasks:
     1. Disable SELinux upon boot-up on LINUXCBTSERV4
      a. nano /etc/grub.conf
       a1. Update 'kernel' line to reflect: selinux=0

    Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
     1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
     2. 'fixfiles' - use to relabel objects (files) while the system is running

    Note: List of daemons protected by the 'targeted' SELinux policy:
     1. apache(httpd)
     2. dchpd
     3. ntpd
     4. named
     5. syslogd
     6. squid
     7. snmpd
     8. portmap
     9. nscd
    10. winbind

    Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain

    Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'

    Note: SELinux MACs compound Linux DACs


    Thanking You
    Hope U Like it.......


    Reset Root Password in linux

    Linux Mint 17

    pendrive bootable for ubuntu

    Nagios 4.0.7

    Oracle Linux 7
    Fedora 20
    Tags
    Author Image

    About Cloud Network
    Providing on the Web, online library and learning platform for IT Professional Developers with a unique blend of original content, peer-to-peer advice from the largest community of IT.

    By at
    Tags: