Make your System Secure
Posted By : Ankit Gupta | 30-Jun-2015
SELINUX , means Security Enhanced Linux which is one of the best way to provide security to your system. We must allow the desired ports to be open through firewall.
Basically , It Means the group of secure policies which tells which process is trying to access which files , directories. It is Because every file , folder , directories in Linux has different security tags called as Selinux Context.
A Context is defined as a security barrier which states if process can access any files , directories etc.
Command to install SE-LINUX in LINUX :-
# sudo apt-get install selinux (Ubuntu Users)
# yum install selinux (Centos/Redhat users)
For Example :- Services like APACHE , FTP etc. all have different type of Context. Most of the context ends on “_t” type.
Like , the context of web server apache is httpd_t , Ones we install APACHE in our machine , we get the document root /var/www/html of which the type of context is httpd_sys_content_t. Files , Directories which exists in /var/tmp or /tmp have tmp_t type of context.
The context type of Ports of web server is http_port_t.
Now , if Apache will try to access any files , folders that exists in any tmp folder or /var/www/html having context type different from apache , but there will be no access permitted as their context types are different.
So we can manually change the context from the following command and then make any file or folder accessible to apache.
# semanage fcontext -a -t “context_type” “path of file or folder”
SELINUX MODES :-
There are three modes in SELINUX are as :-
Enforcing Mode :- In this mode, SELinux have access to the web server resulting to read files with tmp_t context type . In enforcing mode , SELinux Secures and preserves logs .
Permissive Mode :- Permissive mode is used to investigate and resolve the issues. This mode can be activated if you are facing any issue in SELinux. You don’t need to reboot your system while changing the mode from permissive to enforcing or vice-versa.
Disabled :- It completely disable the SELINUX , but the change will only take effect after rebooting your machine.
How to change the mode to enable or disable ?
# There are two ways to change the mode
You can edit the file /etc/sysconfig/selinux .
Here , by default SELINUX mode is permissive , To Enable it you can simple edit and change it as below :-
SELINUX = enforcing
You need to restart your machine , ones you make changes in the above file
2. Another way to change its mode is to use the two command as below :-
It will give you output as Enforcing or permissive (which shows that you current status of selinux is in enforcing or permissive mode).
To change its mode choose setenforce.
# setenforce 0 (which means you are changing its mode to permissive).
# setenforce 1 (which means you are changing its mode to enforcing).
Then , Again you can check its current status by getenforce.
In this way you can make your system secure.