By processing only relevant files that the administrator has already approved, MAC is a higher level of access control than standard discretionary access control (DAC) and protects against system security breaches. Red Hat and the National Security Agency collaborated to create SELinux, which was made public for the first time as a result. As new versions of Linux are introduced, SELinux is periodically updated and expanded. To spread out the degrees of protection and avoid a complete security breach, the SELinux kernel splits policy and decisions within the kernel. SELinux sends the request to the security server if it cannot decide whether to grant access based on cached permissions. The security server checks the application’s file, process, and security context. The SELinux policy database is used to provide the security context. We have mentioned below the steps to secure Linux servers with SELinux.
Steps to Secure Linux Servers with SELinux
SE Linux Modes
In the config file, we can change the modes and choose any of the below: Step 1🇧🇷 Forced – Enabled by default, filters based on defined policies. Step 2: Permissive – Does not apply the defined policies, but records all attempts in log files. This mode is useful for troubleshooting. Step 3: Disabled – IF Linux is completely disabled. This is not recommended as it can expose your system to threats. Also, reverting to tax can create some discrepancies. Step 4: You can check your current SE Linux mode with the commands below: Step 5: If you only need to change the current session mode, you can use the commands below:
SE Linux Policies
Step 1: On SE Linux, policies define user access. Users define access to roles and roles define access to domains. Domains provide access to specific files. Step 2: To change and modify accesses, ‘Booleans‘ are defined. let’s investigate Booleans in the next section.
Manage SE Linux Policies with Booleans
As you already know, SE Linux policies are managed by Booleans. Let’s look at a practical example of how you would view and define a boolean. In this example, we will define specific booleans for httpd. Step 1: First, list all http-specific modules – getsebool -a | grep httpd🇧🇷 Step 2: On here -one lists all booleans. Step 3: Next, let’s select and change the yellow highlight boolean in the above code: Step 4: Now set the value to allow.
Final Words
We hope you enjoy our article on how to Secure Linux servers with SELinux. The National Security Agency (NSA) created SE Linux to help with government security-related tasks. Security Enhanced Linux is known as SE Linux. System administrators now have more freedom to decide who can access which files and processes. SE Linux administrators can specify a context, mark files and allow them within that context. Based on user groups, access and permissions are generally inherited.
