Site Loader

Introduction

SELinux is a security mechanism built into the Linux kernel. Linux distributions such as CentOS, RHEL, and Fedora are equipped with SELinux by default.

SELinux improves server security by restricting and defining how a server processes requests and users interact with sockets, network ports, and essential directories.

For example, if an unauthorized user gains access, server access is restricted to a specified section, limiting the damage caused by the data breach. SELinux can also obstruct the installation of software packages or terminate processes during regular use.

Prerequisites

  • A user account with sudo privileges
  • Access to a terminal/console
  • An RHEL-based system, such as CentOS 7
  • A text editor, such as nano

SELinux Modes

SELinux has 3 modes.

  • Enforcing mode: This is the default mode. It blocks and logs actions that are against defined policy.
  • Permissive mode: Allows actions to take place and logs the events in detail. This mode is useful when testing SELinux features. Changing modes between enforcing and permissive does not require a system reboot.
  • Disabled mode: Allows for all actions and does not log any activity. Changing to this mode requires a system reboot for it to apply.

Check Status of SELinux

To check the current settings type the following command in your terminal:

sestatus

The output confirms that SELinux is disabled.


How to Enable SELinux

To enable SELinux follow these steps:

1. We need to change the status of the service in the /etc/selinux/config file. Use a text editor such as Nano.

For example using nano, access the file with the command:

sudo nano /etc/selinux/config

2. You are now able to change the mode of SELinux to either enforcing or permissive.

Edit the marked line to the mode you need.


3. Next press CTRL + X to save changes and exit the edit mode. Hit ‘y’ and press Enter to confirm.

4. To reboot enter:

sudo reboot

5. To check the status of SELinux by entering sestatus in the command line once again.

The result now confirms that the service is enabled and in enforcing mode.


Change SELinux Mode

Instead of disabling SELinux completely, a good option is to set it to permissive mode. As actions take place,they will leave a trail in the log file.

Note: By default, SELinux log messages are located in the /var/log/audit/audit.log file.

To change the mode from enforcing to permissive type:

sudo setenforce 0

To turn the enforcing mode back on, enter:

sudo setenforce 1

These changes only apply to the current session. They turn back to default after a reboot. To make the changes permanent, edit the configuration file using a text editor, as discribed above.

Conclusion

Now you know how to enable SELinux on CentOS 7. Start protecting your servers today.

Was this article helpful?
YesNo
来源

Post Author: hwq

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注