# 7.1 SEManage ### SELinux basics First we are going to learn what SELinux is and how we can configure it. So Selinux means Security-Enhanced Linux, or SELinux for short. And what it does, it improves the security of the linux system as a kernel module. So how will we configure it? We will do this with the ```setenforce``` and ```getenforce``` commands during the current runtime. This means that if we reboot the server, the settings will return to the permanent configuration. The permanent configuration is located in ```/etc/selinux/config```. Let's see how this all works: Let's start with the ```getenforce``` command. This will show us that the current status is Enforcing. ```bash [root@rhcsa ~]# getenforce Enforcing ``` But what does the status Enforcing actually mean? Let's have a look at the config file for SELinux; this will explain it simpler. ```bash [root@rhcsa ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted ``` So now you know what the status Enforcing means, it means that it will enforce any policy that is set by SELinux. But what if we wanted to change this status temporarily to test if SELinux is blocking the functionality that we want? Let's test this with the ```setenforce``` command. ```bash [root@rhcsa ~]# setenforce 0 [root@rhcsa ~]# getenforce Permissive [root@rhcsa ~]# echo "test functionality here" test functionality here [root@rhcsa ~]# setenforce 1 [root@rhcsa ~]# getenforce Enforcing ``` As you can see above, with the ```setenforce 0``` command I will change the SELinux status to Permissive and with the ```setenforce 1``` command I will change it back to the Enforcing status. ### SEManage Let's have a look at the ```semanage``` command and the functionalities that SELinux could be blocking. To use the ```semanage``` command, we need the ```policycoreutils-python``` package to be installed. We can do this with the following command ```dnf install -y policycoreutils-python-utils.noarch```. More information on yum in later chapters. So now let's have a look at the ```semanage``` command and add the ```port -l``` options to it. This will give us a list of all the SELinux ports that are configured to be allowed. ```bash [root@rhcsa ~]# semanage port -l ``` This is quite a big list, but we can use ```grep``` on this. Lets ```grep``` on the ssh port. ```bash [root@rhcsa ~]# semanage port -l | grep ssh ssh_port_t tcp 22 ``` This shows us that SELinux will allow the service ssh to use port 22. But what if we wanted to change this port so that we can ssh on port 2022. Let's have a look on how we can do this. First, we configure port 2022 to be used with ssh: ```bash [root@rhcsa ~]# echo "Port 2022" >> /etc/ssh/sshd_config ``` Then, we will have to restart the ssh service, but this is giving us an error. ```bash [root@rhcsa ~]# systemctl restart sshd Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details. ``` Now we want to test if SELinux blocks this configuration. ```bash [root@rhcsa ~]# setenforce 0 [root@rhcsa ~]# systemctl restart sshd ``` It seems it was SELinux. Now, let's adjust the ssh port policy that SELinux has with the ```semanage``` command. We are going to use the ```-a```, ```-t``` and ```-p``` options. More information on these can be found with ```semanage port -h```. ```bash [root@rhcsa ~]# semanage port -a -t ssh_port_t -p tcp 2022 ``` And let's check the result with the ```semanage port -l | grep ssh```. As we can see the port 2022 is added to the security port policy of SELinux. ```bash [root@rhcsa ~]# semanage port -l | grep ssh ssh_port_t tcp 2022, 22 ``` And now, to test if we can start the ssh service with SELinux enabled: ```bash [root@rhcsa ~]# setenforce 1 [root@rhcsa ~]# systemctl restart sshd ``` Woohoo we have done it. And now, to revert the port back to 22 so that we can keep training, use the below "one-liner". ```bash sed -i 's/^Port 2022/Port 22/g' /etc/ssh/sshd_config; systemctl restart sshd ```