This article is about How to Secure Linux Servers With SE Linux. SE Linux was developed by the NSA (National Security Agency) to perform government-related security tasks. SE Linux stands for Security Enhanced Linux. It gives system administrators more control over access to files and processes. With SE Linux, administrators can define a context and tag files and allow them within that context. Access and permissions are typically inherited based on user groups. SE Linux is included by default in most Linux distributions.
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, a set of rules that tell SELinux what can and cannot be accessed, to enforce the access allowed by a policy. When an application or process, called a subject, makes a request to access an object, such as a file, SELinux checks an access vector cache (AVC) that caches subject and object permissions. There are many Linux distributions for gaming that you may not even know about.
If SELinux is unable to make an access decision based on the cached permissions, it sends the request to the security server. The security server checks the security context of the application or process and the file. The security context is taken from the SELinux policy database. Permission is then granted or denied. Security-Enhanced Linux (SELinux) is a security architecture for Linux that gives administrators more control over who can access the system.
How to Secure Linux Servers With SELinux
SE Linux Modes
In the config file, we can change the modes and choose any one from the below:
Step 1: Enforced – Enabled by default, filters based on defined policies.
Step 2: Permissive – Does not enforce the defined policies, but records all of the attempts in log files. This mode is useful for troubleshooting.
Step 3: Disabled – SE Linux is completely disabled. This is not recommended as it might expose your system to threats. Also, reverting back to enforced could create certain discrepancies.
Step 4: You can check your current SE Linux mode with the below commands:
Step 5: If you only need to change the mode for the current session, you can use the below commands:
- sudo setenforce 0 – sets permissive mode for current session
- sudo setenforce 1 – sets enforcing mode for current session
SE Linux Policies
Step 1: In SE Linux, policies define access to users. Users define access to roles and roles define access to domains. Domains then provide access to specific files.
Step 2: To change and modify accesses, ‘booleans‘ are defined. We’ll look into booleans in the next section.
How to manage SE Linux policies with booleans
As you now know, SE Linux policies are managed by booleans. Let’s see a working example of how you’d view and set a boolean. In this example, we will set booleans specific to httpd.
Step 1: First, list all modules specific to http – getsebool -a | grep httpd.
Step 2: Here -a lists all booleans.
Step 3: Next, let’s select and change the yellow highlighted boolean in the code above:
- getsebool httpd_can_connect_ftp
Step 4: Now, set the value to allow.
- setsebool -P httpd_can_connect_ftp 1
Final Words
We Hope you understand this article, How to Secure Linux Servers With SE Linux. SELinux is not an operating system. It is a kernel security module that is present in the Linux kernel. It provides support for access control security policies and mandatory access control (MAC). If you are a system administrator and know the Unix system well, you should use SELinux. It increases the security of your server and minimizes the attack surface.
I hope you understand this article, How to Secure Linux Servers With SELinux.