Centos 7 - How to selinux

From Linux - Help
Jump to navigation Jump to search
Selinux


A quick guide, how to use selinux with Centos 7.

Confirm the current status of SELinux like follows:

Default mode is "Enforcing":

          # display current mode        
          getenforce

all mode:

          # enforcing   ⇒ SELinux is enabled (default)
          # permissive  ⇒ MAC is not enabled, but only records audit logs according to Policies
          # disabled    ⇒ SELinux is disabled
       
          # possible to display with the command, too ("Current mode" line)
          sestatus     
                     

It's possible to switch current mode between permissive ⇐⇒ enforcing with setenforce command. But if System is restarted, the mode returns to default.

          # switch to "Permissive" with "setenforce 0"          
          setenforce 0
          getenforce 
          # switch to "Enforcing" with "setenforce 1"
          setenforce 1
          getenforce

If you'd like to change Operating Mode permanently, change value in Configuration file.

      nano /etc/selinux/config
      # This file controls the state of SELinux on the system.
      # SELINUX= can take one of these three values:
      #     enforcing - SELinux security policy is enforced.
      #     permissive - SELinux prints warnings instead of enforcing.
      #     disabled - No SELinux policy is loaded.
      # change value you'd like to set
      SELINUX=enforcing
      # SELINUXTYPE= can take one of these two values:
      #     targeted - Targeted processes are protected,
      #     minimum - Modification of targeted policy. Only selected processes are protected.   
      #     mls - Multi Level Security protection.
      SELINUXTYPE=targeted
      # restart to apply changing
            
      reboot

If you change the Operating Mode from "Disabled" to "Enforcing/Permissive", it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in "Disabled" mode, they are not labeled with SELinux Contexts, it needs to label to them, too.

       # set re-labeling like follows, then it will be done on next system restarting
       touch /.autorelabel
       reboot

Add / remove port with semanage (see man semanage-port)

       # need to install policycoreutils-python
       yum provides /usr/sbin/semanage
       yum -y install policycoreutils-python
       # to see what port is in use (example with ssh)
       semanage port -l | grep ssh
       # to allow to listen port (ex 2289)
       semanage port -a -t ssh_port_t -p tcp 2289
       # to disallow to listen port (ex2289)
       semanage port -d -t ssh_port_t -p tcp 2289

Online resources

Centos 7