Security-Enhanced Linux (SELinux) is the default context-based permissions scheme provided with CentOS and Red Hat Enterprise Linux, and is optionally available on other distributions. It was developed by the U.S. National Security Agency (NSA). It provides additional file system and network security so that unauthorized processes cannot access or tamper with data, bypass security mechanisms, violate security policies, or execute untrustworthy programs.
There are three types of SELinux modes; they are as follows:
- Enforcing: In this mode, SELinux enforces its policies onto the system and makes sure that all access by unauthorized users or processes are denied. These access denial events are also logged in to the system as well, which we will look into later on in this chapter.
- Permissive: This is like a semi-enabled mode state where SELinux doesn’t deny any access as the policies are in permissive mode. This is the best mode to test the SELinux policies.
- Disabled: In this mode, the SELinux is in a completely disabled state and no logs are created or permissions are denied.
There are SELinux rules that define the default security contexts for a majority of the system files. The restorecon command is used to reset the default security context on a file or directory.
For examples:
# restorecon /var/www/html/index.html
A commonly used option to the restorecon command is the -R option, which performs the changes recursively on a directory structure.
If you encounter the below error while running the restorecon command:
restorecon: command not found
you may try installing the below package as per your choice of distribution:
OS Distribution | Command |
---|---|
Debian | apt-get install policycoreutils |
Ubuntu | apt-get install policycoreutils |
Kali Linux | apt-get install policycoreutils |
CentOS | yum install policycoreutils |
Fedora | dnf install policycoreutils |
Raspbian | apt-get install policycoreutils |