selinux - ghdrako/doc_snipets GitHub Wiki

• https://selinux.pl/
• http://selinuxproject.org/page/Main_Page
• https://students.mimuw.edu.pl/SO/Projekt05-06/temat5-g4/selinux.html

selinux

SELinux’s enforcing mode assumes a role akin to an unyielding guardian, allowing only actions that align with meticulously defined security rules. When operating in enforcing mode, SELinux rigidly enforces access controls and security contexts, thereby confining potentially malicious actions and reducing the likelihood of unauthorized intrusion. This mode ensures that even if an attacker gains access, their ability to maneuver and exploit vulnerabilities is severely curtailed, thereby enhancing the overall resilience of the system to enable enforcing mode

Enable enforcing mode

sudo setenforce 1

In this mode, SELinux will strictly enforce the defined security policies, denying actions that violate those policies.

verify that SELinux is in enforcing mode

 getenforce

permissive mode

In contrast, SELinux’s permissive mode serves as an insightful observer in the security landscape. When switched to permissive mode, SELinux refrains from blocking actions that breach security policies, but it actively logs these incidents. This mode serves as an essential tool for system administrators seeking to fine-tune their security policies without abruptly disrupting operations. By analyzing the logs generated in permissive mode, administrators can identify potential issues that would arise if the system were operating in enforcing mode. This invaluable feedback loop empowers administrators to iteratively refine security policies, ensuring they strike an optimal balance between stringent security and operational functionality to enable SELinux’s permissive mode:

sudo setenforce 0

Enabling or disabling SELinux Boolean values

At the heart of SELinux’s configurational arsenal lie Boolean values, encapsulating binary settings that enable or disable specific security features. These Boolean values serve as cryptographic keys that can unlock a multitude of security configurations, allowing administrators to sculpt the behavior of the system with precision.

 getsebool -a

This command is used to display the current values of all SELinux Boolean settings. SELinux Boolean values are binary settings that determine whether a specific security feature or permission is enabled (on) or disabled (off).

• abrt_anon_write --> off: This indicates that the SELinux Boolean value for allowing the Automatic Bug Reporting Tool (ABRT) to write to anonymous memory is currently disabled.
• abrt_handle_event --> off: This Boolean value controls whether ABRT can handle events is disabled. ABRT handles system events such as crashes or abnormal terminations.
• abrt_upload_watch_anon_write --> on: This means that the Boolean value that allows ABRT to watch for uploads with anonymous write access is enabled.
• antivirus_can_scan_system --> off: This states that the Boolean value that permits antivirus software to scan the entire system is currently disabled.
• antivirus_use_jit --> off: The Boolean value controlling whether antivirus software can use Just-In-Time (JIT) scanning is disabled.
• auditadm_exec_content --> on: This indicates that the Boolean value allowing the auditadm user to execute content is enabled.
• authlogin_nsswitch_use_ldap --> off: The Boolean value that determines whether the authlogin program should use the Network Security Services (NSS) LDAP module is disabled.
• authlogin_radius --> off: The Boolean value that controls whether the authlogin program can use the radius protocol for authentication is disabled.
• authlogin_yubikey --> off: This means that the Boolean value permitting the authlogin program to use YubiKey for authentication is disabled.
• awstats_purge_apache_log_files --> off: The Boolean value that decides whether awstats should be allowed to purge Apache log files is disabled.

Searching for a Boolean and getting its information

semanage boolean -l
getsebool abrt_anon_write # To check the status of a specific SELinux Boolean
semanage boolean -l | grep xguest_connect_network

Enabling a SELinux Boolean value

setsebool -P xguest_use_bluetooth 1  # sets the xguest_use_bluetooth Boolean to on and makes the change permanent across system reboots.

Disabling a SELinux Boolean value

setsebool -P mount_anyfile 0