Security-Enhanced Linux (SELinux) is an implementation of a mandatory access
control (MAC) mechanism in the Linux kernel, checking for allowed operations after
standard discretionary access controls (DAC) are checked. It was created by the National Security Agency and can enforce rules on files and processes in a Linux system, and on their actions, based on defined policy.
Let us begin by looking at the SELinux config file. The ‘/etc/selinux/config’ file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use. Run the ‘cat’ command or use an editor to view the
‘/etc/selinux/config’ file on your Oracle Linux 6 system.
The SELINUX option in the config file sets the mode SELinux runs in. SELinux has three modes:
• Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
• Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
• Disabled: SELinux is disabled. Only DAC rules are used.
When using enforcing mode, SELinux policy is enforced, and SELinux denies access based on SELinux policy rules. Denial messages are logged. When using permissive mode, SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running SELinux in enforcing mode. When using disabled mode, SELinux is disabled (the SELinux module is not registered with the Linux kernel), and only DAC rules are used.
In the example below, you can see that SELINUX mode is set to enforcing. This means SELinux is enabled on this system and enforcing the security policy. The SELINUXTYPE option sets the SELinux policy to use. There are two policies that can be used – Targeted and MLS policy. Targeted policy is the default policy as is also seen in the sample config file below.
[root@examplehost /]# cd /etc/selinux [root@examplehost selinux]# ls
config restorecond.conf restorecond_user.conf semanage.conf targeted
[root@examplehost selinux]# cat config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded. SELINUX=enforcing
# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@examplehost selinux]#
You can check the status of SELinux on your Oracle Linux 6 system using the ‘sestatus’ command as shown below. In the following sample output, you can see that SELinux is enabled and set to enforcing mode. The policy is targeted policy.
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 26
Policy from config file: targeted [root@examplehost selinux]#
Another way to check the status of SELinux is by using the ‘getenforce’ command. The ‘getenforce’ command returns Enforcing, Permissive, or Disabled. In the example shown below, the ‘getenforce’ command returns enforcing which means SELinux is enabled on this system and enforcing the security policy.
[root@examplehost selinux]# /usr/sbin/getenforce Enforcing
[root@examplehost selinux]#
The ‘policycoreutils-gui’ RPM package provides ‘system-config-selinux’ command which is a graphical tool for managing SELinux. Install the SELinux GUI tool on your Oracle Linux 6 systems by installing the ‘policycoreutils-gui’ RPM package.
First check to see if the ‘policycoreutils-gui’ RPM package is already installed on the system. In the example, below ‘rpm’ query command does not return this package name, this means that the package is not installed.
[root@examplehost /]# rpm -qa | grep policycoreutils-gui [root@examplehost /]#
We will install the ‘policycoreutils-gui’ RPM package using the ‘yum’ command. [root@examplehost /]# yum install policycoreutils-gui Loaded plugins: refresh-packagekit, security
Setting up Install Process Resolving Dependencies
--> Running transaction check
---> Package policycoreutils-gui.x86_64 0:2.0.83- 19.24.0.1.el6 will be installed
--> Processing Dependency: policycoreutils-python = 2.0.83- 19.24.0.1.el6 for package: policycoreutils-gui-2.0.83-
19.24.0.1.el6.x86_64
package: setools-console-3.3.7-4.el6.x86_64 ...
... ...
--> Finished Dependency Resolution Dependencies Resolved
=========================================================== ====================
Package Arch Version Repository Size =========================================================== ==================== Installing: policycoreutils-gui x86_64 2.0.83-19.24.0.1.el6 ol6_latest 206 k
Installing for dependencies:
audit-libs-python x86_64 2.2-2.el6 ol6_latest 59 k gnome-python2-gtkhtml2 x86_64 2.25.3-20.el6 ol6_latest 21 k gtkhtml2 x86_64 2.11.1-7.el6 ol6_latest 153 k libcgroup x86_64 0.37-4.el6 .... ....
Transaction Summary
=========================================================== ====================
Install 10 Package(s) Total download size: 1.9 M Installed size: 6.5 M Is this ok [y/N]: y ... ... ... ... Dependency Installed: audit-libs-python.x86_64 0:2.2-2.el6 gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6 gtkhtml2.x86_64 0:2.11.1-7.el6 libcgroup.x86_64 0:0.37-4.el6 libsemanage-python.x86_64 0:2.0.43-4.1.el6 policycoreutils-python.x86_64 0:2.0.83-19.24.0.1.el6 setools-console.x86_64 0:3.3.7-4.el6 setools-libs.x86_64 0:3.3.7-4.el6 setools-libs-python.x86_64 0:3.3.7-4.el6 Complete! [root@examplehost /]#
You can now verify that you have the ‘system-config-selinux’ command on your system as shown below.
[root@examplehost /]# which system-config-selinux /usr/bin/system-config-selinux
[root@examplehost /]#
You can also find this SELinux GUI application under the System -> Administration
-> SELinux Management menu option.
Run the ‘system-config-selinux’ command to launch the SELinux GUI application or launch it from the System ->Administration -> SELinux Management menu option.
Disabling SELinux:
SELinux is enabled by default on Oracle Linux 6 systems. Some applications require disabling SELinux before they can be installed. We will now learn how to disable SELinux on Oracle Linux 6 systems.
To disable SELinux, set ‘SELINUX=disabled’ in the ‘/etc/selinux/config’ file. [root@examplehost /]# vi /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded. SELINUX=disabled
# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security
Reboot your system after changing the value to ‘disabled’. After reboot, confirm using the ‘getenforce’ command or the ‘sestatus’ command that it returns Disabled.
[root@examplehost /]# /usr/sbin/getenforce Disabled
[root@examplehost /]# /usr/sbin/sestatus SELinux status: disabled [root@examplehost /]#