Linux Commands and Scripts

What is Security-Enhanced Linux (SELinux)?

In this article we’ve explained what is SELinux and SELinux Modes.

Introduction of the SELinux

Security-Enhanced Linux (SELinux) is a security enhancement to Linux which allows users and administrators more control over access control. SELinux provides a Mandatory Access Control (MAC) security mechanism built into the Linux kernel. It is a collaborative project between the United States National Security Agency (NSA) and the SELinux community. SELinux enhanced tradition discretionary access control (DAC) methods and prevent security breaches.SELinux enforces the model of least-privilege more. SELinux built into kernel, as the result individual applications do not require to be especially written or revised to work below SELinux

SELinux Modes

The configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforcing mode. The SELINUX variable may be set to any one of disabled, permissive, or enforcing to select one of these options.

The disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux protection.

The permissive option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by policy are permitted but audited.

The enforcing option enables the SELinux code and causes it to enforce access denials as well as auditing them.

Permissive mode may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an operation from proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access.

To check the status of the SELinux, use getenforce command. To change SELinux mode temporary to permissive, use setenforce 0 command. setenforce command change SELinux mode for the temporary, for the permanent change, modify SELinux configuration file located at /etc/selinux/config. The default mode always will be enforcing. Change SELINUX=enforcing to permissive or disabled as per your requirement.

[Need assistance to fix this error or install tools? We’ll help you.]

Related Articles