To set up SELinux on CentOS 7, it is crucial to understand that it will greatly enhance your server’s security, bringing a higher level of protection to Linux systems. SELinux, or Security-Enhanced Linux, is a security mechanism integrated directly into the Linux kernel. This system provides mandatory access controls that can prevent misconfigurations and potential security vulnerabilities. Linux distributions such as CentOS, RHEL, and Fedora come with SELinux pre-installed and enabled by default, making them inherently more secure right out of the box. By setting up SELinux on CentOS 7, you ensure that your server benefits from these advanced security features, minimizing risks and improving overall stability.
If you configure the SELinux that helps in access troubleshoot related error message which is a great security risk reducer. SELinux will restrict a server processes requests and users interact with sockets, network ports, and other essential directories.
From this blog, you will get an apparent view regarding steps to setup SELinux on centOS as a part of our server management plan. You can also take assistance from our technical team support 24/7 for further Migration and configuration
Why it is essential to set up SELinux on CentOS 7
Before proceeding with the setup SElinux on centOS 7, let have a glance at the reason to set up the SELinux.
SELinux implements Mandatory Access Control (MAC). In every Discretionary Access Control (DAC) and the Linux distribution, this implementation is at top of every presence.
In the earlier traditional security model it considers having three entities i.e (u,g,o)User, Group, and Other with the combination of Read, Write and Execute (r,w,x)permission on the file.
If the users have created a file in the home directory, where the user can access read/write of that particular group and other entries will be denied.
Use the following command to check the contents inside in home directory.
# ls -l /home/tom/
output
total 4
-rwxrw-r--. 1 tom tom 41 Aug 6 22:45 myscript.sh
Here you can grant or deny the file permission to other users or group.
However, with SELinux, we can define what a user or process can do.
Where it keeps every process bound to its domain due to which the process interact with only certain types of files from the allowed domain.
We use a test server that runs both a web and an SFTP server.
First install the centos 7 with the minimal package and also install the Apache and vsftp daemons.
However, we will not configure either of these applications.
Firstly, create a test user account in the cloud server and later you need to install the SELinux-related packages.
Installing Apache and SFTP Services
First, you need to log into the server as the root user and run the command to install Apache:
# yum install httpd
Use the following commands to start the daemon manually.
# service httpd start
Later, Try to install vsftp:
# yum install vsftpd
Installing SELinux Packages
The SELinux has many packages some are installed by default. Dispalys the list of the Red Hat-based distributions.
1. policycoreutils
2. policycoreutils-python
3. selinux-policy
4. selinux-policy-targeted
5. libselinux-utils
6. setroubleshoot-server
7. setools
8. setools-console
9. mcstrans
Run the commands to check whether the SELinux packages are installed on CentOS7.
# rpm -qa | grep selinux
If you haven’t installed all the packages, Use run the following command with the package name.
# yum install package_name
SELinux Modes
The SELinux will be available with the following three possible modes
1. Enforcing
2. Permissive
3. Disabled
By this enforce mode where the user with unauthorized access will be denied. Access denials are written to relevant log files.
The Permissive mode is like a semi-enabled state where it won’t deny all the access any violence policy can be logged in to the audit logs.
So ensure to test the SELinux before enforcing it.
king SELinux Modes and Status
To check the current SELinux mode you need to run thegetenforce command
# getenforce
or
you can run the sestatus command:
# sestatus
SELinux Configuration File
The main configuration file for SELinux is /etc/selinux/config.
To view the content run the command.
# cat /etc/selinux/config
output
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
- Enabling and Disabling SELinux
Enable the SELinuxis simple but the disabling can be done in a two-step process. Ensure SELinux is currently disabled.
Firstly, we need to edit the /etc/selinux/config file to change the SELINUX directive to permissive mode.
# vi /etc/sysconfig/selinux
...
SELINUX=permissive
...
Use the following commands to reboot the system
# reboot
Search for the string after logging into the server again as root.
“SELinux is preventing” from the contents of the /var/log/messages file.
Run the command:
# cat /var/log/messages | grep "SELinux is preventing"
If no error occurs that great then move to the next step.
However, we can at once search for text containing “SELinux” in /var/log/messages file.
Run the command:
# cat /var/log/messages | grep "SELinux"
If you receive any errors of the following kind, we can safely ignore them.
Mar 22 11:31:02 localhost kernel: SELinux: Initializing.
Mar 22 11:31:17 localhost kernel: SELinux: Disabled at runtime.
Mar 22 11:31:22 localhost journal: Unable to lookup SELinux process context: Invalid argument
Mar 22 11:33:20 localhost gnome-session: SELinux Troubleshooter: Applet requires SELinux be enabled to run.
Mar 22 11:37:16 localhost kernel: SELinux: Initializing.
Mar 22 11:37:18 localhost kernel: SELinux: Disabled at runtime.
Mar 22 11:37:24 localhost journal: Unable to lookup SELinux process context: Invalid argument
Aug 20 11:37:45 localhost gnome-session: SELinux Troubleshooter: Applet requires SELinux be enabled to run.
Mar 2211:39:43 localhost kernel: SELinux: Initializing.
Mar 22 11:39:45 localhost kernel: SELinux: Disabled at runtime.
Mar 22 11:39:51 localhost journal: Unable to lookup SELinux process context: Invalid argument
This happens when SELInux was in disabled or in permissive mode.
In the second phase, change the SELINUX directive from permissive to enforcing by editing the config file in the /etc/sysconfig/selinux file:
# vi /etc/sysconfig/selinux
...
SELINUX=enforcing
...
Run the command to reboot the server
# reboot
Run the sestatus command once the server is online in order to check the SELinux status.
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Use the command to check the var/log/messages file
# cat /var/log/messages | grep "SELinux"
The following will be output with no error.
Mar 22 11:42:06 localhost kernel: SELinux: Initializing.
Mar 22 11:42:09 localhost systemd[1]: Successfully loaded SELinux policy in 183.302ms.
Mar 22 11:44:25 localhost kernel: SELinux: Initializing.
Mar 22 11:44:28 localhost systemd[1]: Successfully loaded SELinux policy in 169.039ms.
- Checking SELinux Modes and Status (Again)
To check the SELinux mode run the getenforce command.
# getenforce
If the system is running in enforcing mode then you can see the following output.
Enforcing
The output will be different if SELinux is disabled:
Disabled
To get a better picture run the sestatus command
# sestatus
Output
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
When SELinux is disabled, the output will show:
SELinux status: disabled
Use the setenforce command to switch enforcing and the permissive modes temporarily.
Note: you won’t be able to run the setenforce when the SELinux is disabled.
Use the command to change the SELinux mode from enforcing to permissive in CentOS 7.
# setenforce permissive
Running the sestatus command will show the difference between the current mode and the defined mode in the config file.
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Run the command to switching back to enforcing
# setenforce enforcing
Conclusion
In short, Follow the steps to set up SELinux on CentOS 7. Where the SELinux will enhance the server security that brings heightened security for Linux systems.