SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf

SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf

• 1.
  SELinux Basics
• 2.
  SELinux ○ Security-Enhanced Linux ○Mandatory Access Control (MAC): Restricts access based on predefined policies ○ Purpose: Strengthens system security by controlling access Source : What is SELinux and how its SELinux used in Docker?-DevOpsSchool.com
• 3.
  SELinux Modes ● SELinuxOperating Modes ○ Enforcing: Enforces policies strictly ○ Permissive: Logs but doesn’t enforce ○ Disabled: No SELinux enforcement ● Note-The /etc/selinux/config file stores configuration settings for SELinux.
• 4.
  Basic SELinux Commands ●To Check Status: sestatus, getenforce
• 5.
  ● Change topermissive / disable from enforcing Command: setenforce 0 ● Change to enforcing from permissive / disable Command : setenforce 1
• 6.
  ● To permanentlymodify SELinux configuration , make change in /etc/selinux/config file : ○ From enforcing to disabled ■ SELINUX=disabled ○ From disabled to enforcing ■ SELINUX=enforcing
• 7.
  SELinux Context ● Setof labels that define how files, processes, or users are treated by SELinux policies ● Components: ○ User: user identity (e.g., system_u, user_u) ○ Role: Defines what actions a user or process can perform (e.g., object_r) ○ Type: Specifies the type or domain (e.g., httpd_t, tmp_t) ○ Level: Sensitivity levels (mainly for MLS systems)
• 8.
  Managing SELinux Contexts ●List all the labels for each file in a directory Command: ls -lZ /etc/ssh ● List the labels of a directory Command : ls -dZ /etc/ssh
• 9.
  ● To changea type of a file or directory in label Command: chcon-t httpd_sys_content_t /etc/ssh ● To restore it back to its original type Command : restorecon-v /etc/ssh && ls-dZ /etc/ssh