linux, how to, android

SELinux can help you secure your server from malfunctioning processes or applications. Developed by the NSA (National Security Agency) to secure government devices from attackers, the security enhanced (SE) Linux architecture uses security protocols to restrict access to system resources. Find out how you can use it for your server.

Content

  • SELinux Architecture
  • How to Install or Enable SELinux
  • How to Configure SELinux
  • SELinux Policies
  • How to Handle SELinux Errors
  • How to Disable SELinux
  • Frequently Asked Questions

SELinux Architecture

SELinux is a kernel module that can be enabled or disabled by the system admin. As the access to files and network ports is limited following a security policy, a faulty program or a misconfigured daemon can’t make a huge impact on system security.

When an application or process requests file access in the SELinux system, it first checks the access vector cache (AVC). If permission is previously cached, then it returns with the file for the requested application. If the permission is not cached, then it sends the request to the security server. The security server checks all the security policies in its database. Depending on the security policy, permission is then granted or declined.

There is no concept of root or superuser in SELinux. The security of an unmodified Linux distribution without SE Linux depends on kernel correctness, all of the privileged applications, and their configurations. fault or bug in any of these components can create an attacking surface and compromise the system.

On the other hand, a modified Linux system with SELinux primarily depends on the correctness of the kernel and security policies.

How to Install or Enable SELinux

SELinux stands for Security Enhanced Linux. SELinux has been a part of the Linux kernel since 2003. Therefore, you don’t have to install it separately. In most desktop Linux distributions, however, it’s disabled by default.

linux, how to, android

SELinux has three main modes: Enforced, Permissive, and Disabled. Let’s discuss them briefly:

  1. Enforced: This activates and protects the Linux system using security policies.
  2. Permissive: It doesn’t enforce the security policies but logs everything. This mode is useful for troubleshooting purposes.
  3. Disabled: It deactivates SELinux. This option is not recommended, and if you re-enable the SELinux in your system, this leads to errors due to changes in labeling.

Note: Ubuntu is shipped with AppArmor, an alternative to SELinux. While SELinux is available on Ubuntu, it is not compatible with AppArmor and may break your system if enabled. If you really need to use SELinux in Ubuntu, make sure you disable AppArmor and do intensive testing (start with permissive mode first) before using it for production use.

  1. To activate SELinux in your system, you have to edit the “/etc/selinux/config” file. Open this file in your text editor.
sudo nano /etc/selinux/config
  1. Inside the config file, set SELINUX=permissive . Press Ctrl + O and hit Enter to save the file and press Ctrl + X to exit the editor. SELinux is now activated in your system.

Note: if you try to enforce SELinux directly before making it permissive, it may mislabel files and processes and prevent you from booting.

  1. To automatically relabel the filesystem, make a file called “.autorelabel” in your root filesystem. Now when you boot your system, SELinux will automatically relabel your filesystem. To reduce errors, keep the SELINUX=permissive option as it is in the config folder. After everything is relabeled, set SELinux to SELINUX=enforcing in “/etc/selinux/config” and reboot.

SELinux will be successfully enforced in your system.

How to Configure SELinux

SELinux is an architecture that allows system admins to control what can access the system resources. SELinux limits access to the system by using security policies. There are many ways to configure SELinux to protect your system, with the most popular being “targeted policy” and “multi-level security” (MLS).

A targeted policy is the default security policy. It covers a range of security policies, like file access, tasks, services, etc. Multi-level security (MLS) is generally used by government and large organizations, is very complicated to set up and requires a dedicated team to manage it.

You can check your current SELinux mode with the command getenforce and sestatus.

If you only need to change SELinux mode in the current session, you can run the following two commands.

  • sudo setenforce 0: Setting SELinux to the permissive mode for the current session.
  • sudo setenforce 1: Setting SELinux to enforcing mode for the current session.

SELinux Policies

SELinux works as a labeling system. It associates every file, port, and process with a label. Labels are a logical way of grouping things together. The kernel is responsible for managing the label during boot.

linux, how to, android

Image source: MIT

SELinux policies can be managed by booleans. For example, let’s set boolean to a daemon called httpd. httpd is an Apache HTTP server daemon that we use to run web servers in Linux.

To list all the modules specific to httpd, run the following command in your terminal:

getsebool -a | grep httpd

Here, the -a option lists all the booleans, and we use grep to filter out boolean related to only httpd. Read this article to know more about grep in Linux.

The output from the above command looks like the below image.

httpd_builtin scripting --> on  httpd_can_check_spam --> off  httpd can connect ftp --> off  httpd_can_connect_ldap --> off  httpd_can_connect_mythty --> off  httpd_can_connect_zabbix --> off  httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off  httpd_can_network_memcache --> off  httpd_can_network_relay --> off  httpd_can_sendmail --> off  httpd_dbus_avahi --> off  httpd dbus sssd--> off

From the list above, we take the httpd_can_connect_ftp boolean and change its value. First, read the value of httpd_can_connect_ftp, whether it is on or off:

getsebool httpd_can_connect_ftp

Let’s set the value of httpd_can_connect_ftp to allow.

setsebool -P httpd_can_connect_ftp 1

Here, 1 represents allow or on. The -P tag is used to make the change permanent. If you list the booleans related to httpd again, then we can see the change in the httpd_can_connect_ftp value to on.

httpd_builtin_scripting --> on  httpd_can_check_spam --> off  httpd can connect ftp --> on  httpd_can_connect_ldap --> off  httpd_can_connect_mythty --> off  httpd_can_connect_zabbix --> off  httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off  httpd_can_network_memcache --> off  httpd_can_network_relay --> off  httpd_can_sendmail --> off  httpd_dbus_avahi --> off  httpd dbus sssd--> off

How to Handle SELinux Errors

SELinux has 4 types of errors in general:

  1. The system has been broken: SELinux protects your system by restricting access, ut sometimes, this is not enough. If you get these errors, then your system may be compromised. Take necessary action as fast as possible.
  2. Bug in the policy: if there is a bug in the policy that needs to be fixed, this error appears.
  3. The labels are wrong: This error message appears during customization of labeling by the user or when auto labeling by SELinux goes south. There are many tools on the market to fix these label errors.
  4. A policy needs to be fixed: These errors originate when you make some changes to the system and don’t inform SELinux about it. You can fix this error using boolean or policy modules.

How to Disable SELinux

Disabling SELinux is never a good option for enterprise and government servers and public-facing devices that are very much prone to attack. But if you want to disable SELinux in your system, follow these instructions.

  1. Go to the SE Linux config file in “/etc/selinux” and change the SE Linux configuration mode from enforcing to permissive, then reboot your system.
  2. Change SELinux mode from permissive to disabled.

After the next reboot, SELinux in your system is disabled and becomes a normal Linux machine.

Frequently Asked Questions

Is SELinux present in Android?

Yes, SELinux is implemented in Android from version 4.3. It enhanced the Android security to protect Android users from cyber attacks.

Is SELinux a firewall?

SELinux is not a firewall. The firewall controls the traffic between the computer and the network. While SELinux controls and governs the filesystem and network access of different programs inside the system, we can think of SELinux as an internal firewall to protect the system from its programs.

Is SELinux an operating system?

SELinux is not an operating system. It is a kernel security module that exists in the Linux kernel. It provides support for access control security policies and mandatory access controls (MAC). To call it an operating system, it needs more than the kernel itself. In most of the Linux-based operating systems, you can use SELinux.

Should you use SELinux?

If you are a sysadmin and know the Unix system you should use SELinux, as it enhances the security of your server and minimizes the attacking surface. If you are not very familiar with Unix systems, you can also use Apparmour. This is relatively easier than SELinux. If you are a home user and use Linux only on your desktop computer, there is no need to use SELinux. It will just give you a headache to configure and reduce your productivity.

TECH NEWS RELATED

Full Modern Warfare 2 Multiplayer Reveal Coming Next Month

On Sept. 15, a “franchise showcase” livestream will be held called Call of Duty: Next. This promises to be a big event with plenty of new info shared regarding upcoming Call of Duty properties. You can expect the following from Call of Duty: Next, as given in a tweet: ...

View more: Full Modern Warfare 2 Multiplayer Reveal Coming Next Month

I switched to OperaGX and now I don’t want to go back to Chrome

The browser includes a fully customizable sidebar that houses messenger applications like Facebook Messenger, WhatsApp, Telegram, Instagram, Twitter and Discord, allowing you to stay connected directly from the browser while surfing or working

View more: I switched to OperaGX and now I don’t want to go back to Chrome

How to Undervolt Your CPU With Throttlestop in Windows

The more strenuous the tasks you carry out on your PC, the more your CPU (processor) will heat up and the more vital it is to reduce CPU temperature. This becomes particularly noticeable during gaming or heavyweight video-editing, but your CPU may be prone to overheating anyway if it’s ...

View more: How to Undervolt Your CPU With Throttlestop in Windows

Dragon Ball FighterZ Getting PS5, Xbox Series X|S Versions, & Rollback Netcode

During the celebrations for EVO 2022 Bandai Namco revealed news about its popular fighting game Dragon Ball FighterZ. The game is coming to PS5 and Xbox Series X|S, with a release date not yet announced. Upgrade will also be offered for free to those who have the PS4 and ...

View more: Dragon Ball FighterZ Getting PS5, Xbox Series X|S Versions, & Rollback Netcode

How to Access Your Linux (WSL) Files in Windows 10

Windows 10’s May 2019 Update introduced an easy, safe, and officially supported way to access and work with your Linux files from within File Explorer and other applications. Here’s how to get at your Windows Subsystem for Linux (WSL) files. Unlike previous methods, this is a safe way to ...

View more: How to Access Your Linux (WSL) Files in Windows 10

Samsung Galaxy Z Fold4 and Z Flip4 spotted in live images

Both Samsung Galaxy Z Flip4 and Z Fold4 are coming this week on August 10 at the Galaxy Unpacked 2022 launch event. Apparently, live images of both the foldable devices have appeared on the web showcasing a mesmerizing blue color shade that will debut with the two foldable devices ...

View more: Samsung Galaxy Z Fold4 and Z Flip4 spotted in live images

How to Manage Google Meet Invites From Google Calendar

Koshiro K/Shutterstock.com When you schedule a Google Meet through Google Calendar, you can manage your invitees right from the Meet interface. See who you invited, their RSVP status, notes, and if you made them optional. You can also open a Google Chat from Meet for those attendees who haven’t ...

View more: How to Manage Google Meet Invites From Google Calendar

Samsung’s Galaxy Z Fold 4 Won’t Have an S Pen Slot

Samsung via Equal Leaks Rumors suggested that the Galaxy Z Fold 4 could feature a dedicated S Pen slot, much like the Galaxy S22 Ultra or older Galaxy Note devices. But an accidental Amazon listing proves that the phone cannot hold an S Pen without an add-on case. The Amazon ...

View more: Samsung’s Galaxy Z Fold 4 Won’t Have an S Pen Slot

How to Enable Full Screen Caller ID in Truecaller

Disco Elysium keeps crashing or freezing on PC

How to Reset Illustrator Preferences on Windows PC

How to Turn Off Focused Inbox in Microsoft Outlook

How to Disable App Diagnostics in Windows 11

Melty Blood: Type Lumina Reveals Extensive Upcoming Updates at EVO 2022

Top 7 Ways to Fix Facebook Messenger Not Sending Videos

How to send a Calendar Event as an attachment in Outlook

Granblue Fantasy Relink Is “At the Peak of Development;” New Glimpse of Gameplay Revealed

How to Restart a Computer

Spotify Finally Fixes Its Stupid Play Button

How to sell ammo in Fallout 76

OTHER TECH NEWS

Top Car News Car News