Managing SELinux security Enhance Linux

Managing SELinux security Enhance Linux

2 types of security :
DAC ( discrectionaly access control ) => rwx
MAc ( mandatory access control ) => selinux

There are two types in SELinux
1> Target : we use this
2> MLA ( multi Level security ) this only used by NASA and other research agency. Here we can create own code to set selinux boolean.

3 Mode of selinux :
1> enforcing : when selinux set to this mode. It strictly check all security and avoid task.
2> permissive : it check but only give warning and allow to perform task.
3> disable

Selinux policy => Kernel => 1. user/services permission 2.r/w/x 3.file/dir/daemon
===========================================

1> How to check Selinux status
#sestatus

=================================================================================
2> how to check secuirty context
i>Process #ps -Z : add column of secuirty data. Identical to -m ( for selinux)
ii>user #id -Z : print only the security context of current user
iii>file/folder #ls -Z :: display security context

u : user
c : category
r : role
t : type
s : sensitivity.

=================================================================================
3> change security context type
#chcon -t etc_t text.txt

=================================================================================
4> Restore previous context type
#restorecon -RV text.txt

=================================================================================
5> #fixfiles :: Fix file selinux security context

i> restore by service name
#fixfiles -R httpd restore

ii> restore for all services
#fixfiles -F restore
Or
create ‘.autorelable’ file at ‘/’ and reboot
#touch .autorelable

=================================================================================
6> Change Selinux mode
1> temporary /current mode
check current selinux mode
#getenforce

Change current selinux mode
#setenforce 1 => enforcing
#setenforce 0 => permissive

2> change selinux mode permanently / config file
#lokkit –selinux = enforcing
lokkit –selinux = permissive
lokkit –selinux = disable

Or
#vim /etc/selinux/config
Or
#vim /etc/sysconfig/selinux
SELINUX=permissive

:wq
=================================================================================
7> show selinux booleans
#getsebool -a

=================================================================================
8> ON/OFF selinux booleans
termporarily
#setsebool ftp_home_dir on/off
Or
#setsebool ftp_home_dir 1/0

Permanently
#setsebool -P ftp_home_dir on   ———(P capital )

=====================================================================================
Logs and service
Logs => /var/log/audit/audit.log

service => auditd
#service auditd status

=====================================================================================

Posted in commands

Leave a Reply