How To Secure Your Linux Servers With SELinux

Protect your Linux server now!

SELinux can help you secure your server from malfunctioning processes or applications. Developed by the NSA (National Security Agency) to secure government devices from attackers, the security enhanced (SE) Linux architecture uses security protocols to restrict access to system resources. Find out how you can use it for your server.

Also read: What Is the Rc Shell and How to Install It in Linux

SELinux is a kernel module that can be enabled or disabled by the system admin. As the access to files and network ports is limited following a security policy, a faulty program or a misconfigured daemon can’t make a huge impact on system security.

When an application or process requests file access in the SELinux system, it first checks the access vector cache (AVC). If permission is previously cached, then it returns with the file for the requested application. If the permission is not cached, then it sends the request to the security server. The security server checks all the security policies in its database. Depending on the security policy, permission is then granted or declined.

There is no concept of root or superuser in SELinux. The security of an unmodified Linux distribution without SE Linux depends on kernel correctness, all of the privileged applications, and their configurations. fault or bug in any of these components can create an attacking surface and compromise the system.

On the other hand, a modified Linux system with SELinux primarily depends on the correctness of the kernel and security policies.

Also read: How to Use Rm Command in Linux

SELinux stands for Security Enhanced Linux. SELinux has been a part of the Linux kernel since 2003. Therefore, you don’t have to install it separately. In most desktop Linux distributions, however, it’s disabled by default.

SELinux has three main modes: Enforced, Permissive, and Disabled. Let’s discuss them briefly:

Note: Ubuntu is shipped with AppArmor, an alternative to SELinux. While SELinux is available on Ubuntu, it is not compatible with AppArmor and may break your system if enabled. If you really need to use SELinux in Ubuntu, make sure you disable AppArmor and do intensive testing (start with permissive mode first) before using it for production use.

Note: if you try to enforce SELinux directly before making it permissive, it may mislabel files and processes and prevent you from booting.

SELinux will be successfully enforced in your system.

Also read: How to Customize Your Linux Terminal Prompt Using Starship

SELinux is an architecture that allows system admins to control what can access the system resources. SELinux limits access to the system by using security policies. There are many ways to configure SELinux to protect your system, with the most popular being “targeted policy” and “multi-level security” (MLS).

A targeted policy is the default security policy. It covers a range of security policies, like file access, tasks, services, etc. Multi-level security (MLS) is generally used by government and large organizations, is very complicated to set up and requires a dedicated team to manage it.

You can check your current SELinux mode with the command getenforce and sestatus.

If you only need to change SELinux mode in the current session, you can run the following two commands.

SELinux works as a labeling system. It associates every file, port, and process with a label. Labels are a logical way of grouping things together. The kernel is responsible for managing the label during boot.

SELinux policies can be managed by booleans. For example, let’s set boolean to a daemon called httpd. httpd is an Apache HTTP server daemon that we use to run web servers in Linux.

To list all the modules specific to httpd, run the following command in your terminal:

Here, the -a option lists all the booleans, and we use grep to filter out boolean related to only httpd. Read this article to know more about grep in Linux.

The output from the above command looks like the below image.

From the list above, we take the httpd_can_connect_ftp boolean and change its value. First, read the value of httpd_can_connect_ftp, whether it is on or off:

Let’s set the value of httpd_can_connect_ftp to allow.

Here, 1 represents allow or on. The -P tag is used to make the change permanent. If you list the booleans related to httpd again, then we can see the change in the httpd_can_connect_ftp value to on.

Also read: How to Set Up WordPress Using Docker in Ubuntu

SELinux has 4 types of errors in general:

Disabling SELinux is never a good option for enterprise and government servers and public-facing devices that are very much prone to attack. But if you want to disable SELinux in your system, follow these instructions.

After the next reboot, SELinux in your system is disabled and becomes a normal Linux machine.

Also read: How to Set Up a Firewall in Linux

Yes, SELinux is implemented in Android from version 4.3. It enhanced the Android security to protect Android users from cyber attacks.

SELinux is not a firewall. The firewall controls the traffic between the computer and the network. While SELinux controls and governs the filesystem and network access of different programs inside the system, we can think of SELinux as an internal firewall to protect the system from its programs.

SELinux is not an operating system. It is a kernel security module that exists in the Linux kernel. It provides support for access control security policies and mandatory access controls (MAC). To call it an operating system, it needs more than the kernel itself. In most of the Linux-based operating systems, you can use SELinux.

If you are a sysadmin and know the Unix system you should use SELinux, as it enhances the security of your server and minimizes the attacking surface. If you are not very familiar with Unix systems, you can also use Apparmour. This is relatively easier than SELinux. If you are a home user and use Linux only on your desktop computer, there is no need to use SELinux. It will just give you a headache to configure and reduce your productivity.

Our latest tutorials delivered straight to your inbox

How to Copy and Paste Text, Files and Folders in Linux Terminal

How to Install Safari on Linux

How to Set Up Bluetooth in Linux

How to Fix Ubuntu Can't Open the Terminal Issue

How to Change the Keyboard Layout in Linux

The Best Linux Desktops for a Touchscreen Monitor

8 of the Best Linux Distros for Windows Users

12 of the Best Linux Distros in 2022

How to Add Your Own Custom Color in LibreOffice

The Beginner's Guide to Using Cron in Linux

Affiliate Disclosure: Make Tech Easier may earn commission on products purchased through our links, which supports the work we do for our readers.

Superior Quality, Competitive Price And Timely Service

Good After-Sales Service

Fast Delivery,Within 7 Days

How to Secure Your Linux Servers With SELinux - Make Tech Easier

Featured Products

News & Blog

SARS-CoV-2 environmental contamination from hospitalised patients with COVID-19 receiving aerosol-generating procedures | Thorax

Johnson & Johnson Consumer Inc. Issues Voluntary Recall of Specific NEUTROGENA® and AVEENO® Aerosol Sunscreen Products Due to the Presence of Benzene

Great Lakes Label Expands Product Offerings - Label and Narrow Web

Labeler Market Size worth USD 7.75 Billion by 2028 – Rise in the adoption of automatic labeling machines - Digital Journal

Email

DTM Print Adds New Label Material To OKI Pro10 Bundle - Label and Narrow Web

Email

Epson introduces liner-free thermal label printer | Kiosk Marketplace

Chicken blood in the chest freezer: Lancaster County restaurant inspections, March 11, 2022 | Restaurant Inspections | lancasteronline.com

Around the Web: Wreck Retrieval. Cover Clairvoyance. Container Questions. Salmon Suits. Battling Baker. Menschy Mirror. Head Heist. - WhatTheyThink