Understanding SELinux and Its Importance in CentOS 7
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux offers a means of enforcing some security policies which would otherwise not be effectively implemented by a System Administrator. When working with CentOS 7, it’s crucial to know how to check the status of SELinux, as it plays a significant role in securing your system against unauthorized access.
Checking SELinux Status Using Command-Line Tools
There are several command-line tools available in CentOS 7 that you can use to check the status of SELinux on your system. These tools provide detailed information about the current mode of SELinux, its configuration, and policy settings.
Using the sestatus Command
The primary tool for checking SELinux status is the sestatus command. It provides a quick overview of the SELinux status and the current mode it is operating in.
sestatus
This command will output something similar to:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Each line of the output provides specific details about the SELinux configuration:
- SELinux status: Indicates if SELinux is enabled or disabled.
- SELinuxfs mount: Shows where the SELinux filesystem is mounted.
- SELinux root directory: Displays the directory where SELinux configurations are stored.
- Loaded policy name: The name of the loaded SELinux policy.
- Current mode: The current mode of SELinux (enforcing, permissive, or disabled).
- Mode from config file: The mode SELinux is configured to use at boot time.
- Policy MLS status: Indicates if Multi-Level Security (MLS) is enabled.
- Policy deny_unknown status: Shows whether SELinux denies unknown classes/permissions.
- Max kernel policy version: The maximum policy version supported by the kernel.
Inspecting the /etc/selinux/config File
Another way to check the SELinux status is by inspecting the /etc/selinux/config file. This file contains the persistent configuration of SELinux that will be applied on system boot.
cat /etc/selinux/config
You’ll see contents like:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Here, the SELINUX= line indicates the default SELinux mode for the next boot, while the SELINUXTYPE= line shows the type of policy that will be used.
Using getenforce Command
For a more straightforward method, the getenforce command can be used. It simply returns the current mode SELinux is running in.
getenforce
The output will be either Enforcing, Permissive, or Disabled.
Interpreting SELinux Modes and States
Understanding the different modes and states of SELinux is essential for proper system administration. Here’s what each mode means:
- Enforcing: SELinux policy is active, and any actions that violate the policy are blocked and logged.
- Permissive: SELinux policy is not enforced but violations are still logged. This mode is useful for troubleshooting and policy development.
- Disabled: SELinux is turned off; no policy is loaded, and no logging occurs.
Changing SELinux Modes Temporarily and Permanently
Sometimes, you may need to change the SELinux mode for troubleshooting or configuring certain services. You can do this temporarily or permanently.
Temporarily Changing SELinux Mode
To temporarily change the SELinux mode, use the setenforce command followed by either ‘0’ for permissive or ‘1’ for enforcing.
setenforce 0 # Sets SELinux to permissive mode
setenforce 1 # Sets SELinux to enforcing mode
Note that these changes will last until the next reboot.
Permanently Changing SELinux Mode
To permanently change the SELinux mode, edit the /etc/selinux/config file and modify the SELINUX= line to either ‘enforcing’, ‘permissive’, or ‘disabled’.
sudo nano /etc/selinux/config
# Change the following line accordingly
SELINUX=enforcing
After saving the changes and rebooting, the new SELinux mode will be applied.
Auditing and Troubleshooting SELinux Policies
When SELinux blocks an action, it logs the event. These logs are crucial for auditing and troubleshooting.
Working with Audit Logs
Audit logs are typically found in /var/log/audit/audit.log. To view SELinux-related entries, you can use the ausearch or grep commands.
ausearch -m avc -ts recent # Lists recent SELinux policy violations
grep AVC /var/log/audit/audit.log # Filters for AVC messages in audit log
AVC stands for Access Vector Cache, and these messages indicate that SELinux has denied access based on the current policy.
Understanding and Addressing Common Policy Violations
Common policy violations often involve mislabeled files or services attempting unauthorized actions. Tools like restorecon can relabel files, and the audit2allow utility can help generate custom policy modules to address violations.
restorecon -v /path/to/mislabeled/file # Relabels a file to its default context
audit2allow -a -M mymodule # Creates a custom module to allow denied actions
Always review custom modules carefully before implementing them to avoid inadvertently weakening your system’s security.
Frequently Asked Questions
How do I know if SELinux is causing an issue with a service?
If a service isn’t functioning correctly and you suspect SELinux, set SELinux to permissive mode temporarily using setenforce 0. If the service starts working, then SELinux might be blocking it. Check the audit logs for AVC denials related to the service.
Can I disable SELinux without rebooting?
No, disabling SELinux completely requires a system reboot. However, you can switch to permissive mode on-the-fly, which effectively stops SELinux from enforcing policies without needing to reboot.
Is it safe to run my CentOS 7 server with SELinux disabled?
Disabling SELinux removes an important layer of security from your server. It is generally recommended to keep SELinux in enforcing mode and configure policies to accommodate your services securely.
What is the difference between targeted and MLS policy types?
Targeted policies apply SELinux rules to targeted services, leaving others unconfined. MLS, or Multi-Level Security, applies strict SELinux rules across all processes, providing a higher level of security suitable for very sensitive environments.
How can I learn more about SELinux policies?
The selinux-policy-doc package provides extensive documentation on SELinux policies. Install it using yum install selinux-policy-doc and explore the documentation under /usr/share/doc/selinux-policy-*/html.
