Author: Madhan Gopalakrishnan | Published on : 13-02-2025

SELinux (Security-Enhanced Linux) is a security architecture that enforces mandatory access controls (MAC) on Linux systems. It adds an extra layer of security by defining and enforcing policies that restrict the actions of users and applications. The semanage command is a crucial tool in managing SELinux policies, making it easier to configure and maintain security contexts. This guide provides an in-depth and beginner-friendly explanation of SELinux and the semanage tool. 🚀

🛡️ Understanding SELinux

SELinux Modes:

🔍 Checking and Setting SELinux Mode

• To check the current SELinux mode: sestatus
• To temporarily set SELinux to permissive mode: sudo setenforce 0
• To permanently change SELinux mode, edit /etc/selinux/config: sudo nano /etc/selinux/config Change the line: SELINUX=enforcing # Change to permissive or disabled if needed Save and reboot for changes to take effect.

🛠 Managing SELinux Policies with Semanage

semanage is used to modify SELinux policies, manage file contexts, port labeling, booleans, and user mappings.

🔍 Common semanage Commands

🔍 Changing File Security Contexts

1. List file contexts: semanage fcontext -l
2. Add a new file context: semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?'
3. Apply changes using restorecon: restorecon -Rv /myweb

🔍 Managing Network Ports with SELinux

1. List current SELinux port mappings: semanage port -l
2. Allow a service to use a custom port (e.g., Apache on port 8080): semanage port -a -t http_port_t -p tcp 8080
3. Modify an existing port label: semanage port -m -t http_port_t -p tcp 9090

🔍 Enabling and Disabling SELinux Booleans

1. List all SELinux booleans: getsebool -a
2. Enable or disable a boolean (e.g., allow Apache to connect to a database): setsebool -P httpd_can_network_connect_db on

🔍 Assigning SELinux Roles to Users

1. List current user mappings: semanage login -l
2. Map a Linux user to an SELinux role: semanage login -a -s user_u myuser

🔍 Auditing SELinux Logs with Ausearch

The ausearch tool is used to analyze SELinux logs and troubleshoot security issues effectively.

🔍 Using ausearch for SELinux Events

1. Search for SELinux AVC (Access Vector Cache) denials: ausearch -m avc
2. Filter logs based on a specific process (e.g., Apache): ausearch -c httpd
3. Search logs for a specific time range: ausearch -m avc -ts yesterday
4. View logs for a particular user: ausearch -m USER_LOGIN -ua 1000

Using ausearch effectively helps administrators identify policy violations and security issues that need to be addressed to ensure a hardened Linux environment.

🔥 Best Practices for SELinux Security Hardening

1. Always keep SELinux in enforcing mode unless troubleshooting.
2. Regularly audit SELinux logs for security violations: ausearch -m avc
3. Use restorecon to fix mislabelled files instead of disabling SELinux.
4. Enable relevant SELinux booleans based on system requirements.
5. Keep SELinux policies updated to prevent vulnerabilities.
6. Use semanage to properly configure ports, file contexts, and user mappings.
7. Implement log monitoring and alerting systems for SELinux-related issues.

🚀 Conclusion

SELinux provides an advanced security mechanism for Linux systems by enforcing strict access controls. The semanage command simplifies policy management, making it easier to configure security settings. The ausearch tool is invaluable for analyzing logs and detecting policy violations. By understanding and properly configuring SELinux, administrators can significantly enhance system security and reduce risks from unauthorized access.

By implementing these practices, you can achieve a robust and secure Linux system. 🔒🐧 Happy Securing! 🚀