Introduction to SELinux: Status Check, Enabling, Basic Commands

1. What is SELinux and why do you need it?

SELinux (Security-Enhanced Linux) is a security module that strengthens the traditional access control model by adding the concept of mandatory control. It allows an admin to set stricter restrictions for users and even processes to minimize the potential damage from possible attacks.

What makes it unique?

Imagine your system is a house. Traditional access rights (rwx for user, group, and others) are like the keys to locks on doors. But what if someone breaks the door? SELinux becomes the second line of defense, strengthening protection with behavioral rules: "Hey, even if you're inside, you're not allowed in the bathroom!"

Main goals of SELinux:

1. Protection from unauthorized access for processes and files.
2. Minimizing damage from attacks, even if a process is hacked.
3. Principles of "default denial" (everything is forbidden unless explicitly allowed).

SELinux operating modes

SELinux can operate in three modes:

1. Enforcing — active, applies security policy, and blocks violating processes.
2. Permissive — only logs violations but doesn't block any actions.
3. Disabled — completely turned off

---

2. Checking SELinux Status

First, let's see if SELinux is active and what mode it's running in. There are a few handy commands for this.

The getenforce Command

This command will simply tell you which mode is currently being used: Enforcing, Permissive, or Disabled.

$ getenforce
Enforcing

If the output is Disabled, then SELinux is turned off — which means you'll need to do a little work to enable it, but more on that later.

The sestatus Command

A more detailed status report of SELinux can be obtained with this command. It'll show the current state, active mode, and the policy in use.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing

Here you can see:

• enabled/disabled — whether SELinux is enabled.
• current mode — the active mode (enforcing, permissive).
• loaded policy name — which policy is loaded. For example, "targeted" means SELinux applies control only to key processes.

---

3. Switching SELinux Modes

To change the current SELinux operating mode, use the setenforce command.

Switching to permissive mode

If you want to temporarily "loosen the leash" of SELinux, you can enable permissive mode.

$ sudo setenforce 0

Now SELinux will only log violations but won't block them. You can check the new setting using the getenforce command:

$ getenforce
Permissive

Switching back to enforcing mode

When you want to re-enable strict control, run:

$ sudo setenforce 1

And, of course, check the result:

$ getenforce
Enforcing

This change is applied on the fly, but only until the next system reboot.

---

4. Enabling SELinux

If SELinux was turned off, you'll need to make changes in the configuration file. SELinux is managed through the file /etc/selinux/config.

Checking the current configuration file

Let’s see what's configured there. Use any text editor, for instance nano:

$ sudo nano /etc/selinux/config

You’ll see something like this:

# This file controls the state of SELinux on the system.
SELINUX=disabled
SELINUXTYPE=targeted

Switching SELinux to an active state

To turn on SELinux, change the line SELINUX=disabled to SELINUX=enforcing or SELINUX=permissive.

Here’s an example of the file after changes:

# This file controls the state of SELinux on the system.
SELINUX=enforcing
SELINUXTYPE=targeted

After editing, save the file and reboot the system:

$ sudo reboot

Once your system restarts, you can check the status using sestatus to make sure SELinux is active.

---

5. Understanding SELinux Contexts

What are contexts?

Contexts are labels that SELinux uses for access control. Every file, process, and user has its own context.

You can view file contexts using the command ls -Z. Here’s an example:

$ ls -Z /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

What does this mean?

1. unconfinedu — SELinux user.
2. objectr — object type.
3. httpdsyscontent_t — access type (in this case, related to the web server).
4. s0 — security level.

Changing the context

If SELinux is blocking your application, you might need to change the file context. Use the chcon command:

$ sudo chcon -t httpd_sys_content_t /var/www/html/index.html

This command temporarily changes the file’s context type. However, after a reboot, the changes might disappear, so for permanent settings, it’s better to modify SELinux policy (more on this later).

---

6. Example of Working with SELinux

Let’s look at an example. You’re a server admin who wants to deploy a web server, but SELinux is blocking access to files in the /var/www/html directory.

Steps:

1. Check the status of SELinux:

   $ sestatus
   

   Make sure SELinux is enabled and running in enforcing mode.

2. Check file contexts:

   $ ls -Z /var/www/html
   

3. If the context is incorrect, change it:

   $ sudo chcon -t httpd_sys_content_t /var/www/html/*
   

4. Verify the web server is working properly.

---

7. Common Mistakes and Issues

1. SELinux is disabled, and you don't even notice it. Always check the status with sestatus. Many admins forget to enable SELinux after installing the system.

2. "Why isn't my service working?" SELinux is blocking access. Use audit.log to analyze:

   $ sudo cat /var/log/audit/audit.log | grep denied
   

3. Context changes aren't being saved. Don't use chcon, instead use commands for permanent changes like semanage.

Learning SELinux is kinda like training for a marathon: it might feel tough at first, but over time, you'll understand how this tool can seriously boost your system's security. Use this knowledge to become that admin who's unshakable, even when faced with the most advanced hacker.