SELinux stands for “Security-Enhanced Linux“. Standard Linux security is based on Discretionary Access Control (DAC). With DAC, access to files and devices are based solely on user identity and ownership. Each file can have read, write, and execute permissions for the owner of the file, for the group, and for other users.
SELinux was created by the US National Security Agency to provide a finer-grained level of control over files, processes, users, and applications in the system. It is an enhancement to the Linux kernel, and it implements a different type of security called Mandatory Access Control (MAC). MAC policy is centrally managed rather than being managed by the user.
SELinux runs in one of three modes:
- Enforcing: Access is denied to users and programs unless permitted by SELinux security policy rules.
- Permissive: The security policy rules are not enforced, but SELinux sends denial messages to a log file.
- Disabled: SELinux does not enforce a security policy because no policy is loaded in the kernel. Only DAC rules are used for access control.
Display the SELinux mode
You can use the sestatus command to display the SELinux mode as well as some additional information about SELinux.
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
You can use the getenforce command to display the SELinux mode. This command displays the current mode: “Enforcing”, “Permissive“,” or “Disabled“.” For Example:
# getenforce Enforcing
Changing SELinux mode
Most of the time you would see people changing the “enforcing” mode to “permissive” in order to resolve a problem related to file/process permissions. This is not the best practice to apply, but is one of the most widely used and quickest ways to get pass the problem in Linux. You can use the setenforce command to change the mode to either “Enforcing (1)” or “Permissive (0)“. For Example:
# setenforce 0 # getenforce Permissive
Booleans
SELinux also provides “Booleans“, which allow parts of a SELinux policy to be changed at run time, without reloading or recompiling a SELinux policy. You can display a list of Booleans, state information, and a description of the Boolean by running the following command:
# semanage boolean -l SELinux boolean State Default Description privoxy_connect_any (on , on) Allow privoxy to connect any smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs xdm_sysadm_login (off , off) Allow xdm to sysadm login ....
You can change the state of a specific Boolean to either on or off by using the setsebool command. For example, to turn the ftp_home_dir Boolean to on:
# setsebool ftpd_use_nfs on
Use the getsebool command to display the state of a specific Boolean. Example:
# getsebool ftpd_use_nfs ftpd_use_nfs --> on