What is SELinux and How to Setup in Linux - Cloud Network

Networking | Support | Tricks | Troubleshoot | Tips

Buymecoffe

Buy Me A Coffee

Wednesday, September 3, 2014

What is SELinux and How to Setup in Linux

SELinux, Iptables

###SELinux Intro###
 Features:
  1. Restricts access by subjects (users and/or processes) to objects (files)
  2. Provides Mandatory Access Controls (MACs)
  3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))
  4. Stores MAC permissions in extended attributes of file systems
  5. SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
  6. SELinux is integrated into the Linux kernel
  7. Implements sandboxes for subjects and objects
  8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
  9. SELinux is implemented/enabled by RH5, by default
 10. Operates in the following modes:
   a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
   b. Enforcing - strictly enforces 'targeted' policy rules
   c. Disabled - Only DACs are applied
  11. Operating modes can be applied upon startup or while the system is running

SELinux Config files & Tools:
 1. sestatus - displays current SELinux status, including:
  a. policy name 'targeted'
  b. policy version '21'
  c. Operating mode: 'enforcing|permissive|disabled'

 2. /etc/sysconfig/selinux - primary startup|config file for SELinux
 3. /etc/selinux/targeted - top-level container for the 'targeted' policy
 4. setenforce = 0(permissive) 1(enforcing)
 5. '-Z' can be applied to the following tools to obtain SELinux context info:
  a. mv, cp, ls, ps, id
 6. chcon -R -t type file - applies SELinux label to file/directory

Tasks:
 1. Disable SELinux upon boot-up on LINUXCBTSERV4
  a. nano /etc/grub.conf
   a1. Update 'kernel' line to reflect: selinux=0

Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
 1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
 2. 'fixfiles' - use to relabel objects (files) while the system is running

Note: List of daemons protected by the 'targeted' SELinux policy:
 1. apache(httpd)
 2. dchpd
 3. ntpd
 4. named
 5. syslogd
 6. squid
 7. snmpd
 8. portmap
 9. nscd
10. winbind

Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain

Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'

Note: SELinux MACs compound Linux DACs


Thanking You
Hope U Like it.......


Reset Root Password in linux

Linux Mint 17

pendrive bootable for ubuntu

Nagios 4.0.7

Oracle Linux 7
Fedora 20