SElinux management, linux security, security policies, security protection are important topics for any system administrator. In a real environment, selinux and system level firewall are disabled. Some networking companies such as Cisco, AT&T set up physical firewalls to ensure security protection.

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. There are 3 types of selinux policies:

  1. Targeted policy: Target service or file is protected.
  2. Minimum policy: Only chosen service or file is protected.
  3. MLS: Multilevel security protection.

Labels are set in context. You can check context of a file with ls –Z command.

How to interpret labels:

[root@autofs_client ~]# ls -Z initial-setup-ks.cfg

-rw-r–r–. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg

“System_u”  is user.

” object_r” is role.

“admin_home_t” is type contexte.

“s0” is security context.

Every process has also a context type:

To see sockets = ss -Z

To see users = id –Z

To see ports = netstat –Z

sestatus command will show you general information about selinux.

To check selinux mode type getenforce.

There are 3 modes; enforcing means enabled, permissive means enabled but tolerated and disabled is you know what is it.

The main selinux configuration file is /etc/sysconfig/selinux.

If you want to relabel a file either after copying or changing context type use restorecon /file path/ command or restorecon –vR /directory path/ where –R is recursive which will take effect on sub-files and sub-directories and –v is verbose.

While relabeling whole system, you should do that after recovering root password i.e, use touch /.autorelabel command.

Semanage command is selinux policy management tool. You can check port policies by semanage port –l. Or for context type use semanage fcontext –l.

Getsebool command might be useful to check Booleans;

If you want an anonymous user has write access to ftp server you can set  ftpd_anon_write –> off

To on with;

Setsebool  -P  ftpd_anon_write on

Where –P is permanent option.

I encourage you to test these commands. I will share with you some other useful command and log files under tutorials part, won’t list them here to avoid unnecessary repetitions. It’s time to use what we learnt. Read more in tutorials.