7.1 SEManage
SELinux basics
First we are going to learn what SELinux is and how we can configure it.
So Selinux means Security-Enhanced Linux, or SELinux for short. And what it does, it improves the security of the linux system as a kernel module.
So how will we configure it? We will do this with the setenforce and getenforce commands during the current runtime. This means that if we reboot the server, the settings will return to the permanent configuration. The permanent configuration is located in /etc/selinux/config.
Let’s see how this all works:
Let’s start with the getenforce command. This will show us that the current status is Enforcing.
[root@rhcsa ~]# getenforce
Enforcing
But what does the status Enforcing actually mean? Let’s have a look at the config file for SELinux; this will explain it simpler.
[root@rhcsa ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
So now you know what the status Enforcing means, it means that it will enforce any policy that is set by SELinux. But what if we wanted to change this status temporarily to test if SELinux is blocking the functionality that we want?
Let’s test this with the setenforce command.
[root@rhcsa ~]# setenforce 0
[root@rhcsa ~]# getenforce
Permissive
[root@rhcsa ~]# echo "test functionality here"
test functionality here
[root@rhcsa ~]# setenforce 1
[root@rhcsa ~]# getenforce
Enforcing
As you can see above, with the setenforce 0 command I will change the SELinux status to Permissive and with the setenforce 1 command I will change it back to the Enforcing status.
SEManage
Let’s have a look at the semanage command and the functionalities that SELinux could be blocking.
To use the semanage command, we need the policycoreutils-python package to be installed. We can do this with the following command dnf install -y policycoreutils-python-utils.noarch. More information on yum in later chapters.
So now let’s have a look at the semanage command and add the port -l options to it. This will give us a list of all the SELinux ports that are configured to be allowed.
[root@rhcsa ~]# semanage port -l
This is quite a big list, but we can use grep on this. Lets grep on the ssh port.
[root@rhcsa ~]# semanage port -l | grep ssh
ssh_port_t tcp 22
This shows us that SELinux will allow the service ssh to use port 22. But what if we wanted to change this port so that we can ssh on port 2022. Let’s have a look on how we can do this.
First, we configure port 2022 to be used with ssh:
[root@rhcsa ~]# echo "Port 2022" >> /etc/ssh/sshd_config
Then, we will have to restart the ssh service, but this is giving us an error.
[root@rhcsa ~]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
Now we want to test if SELinux blocks this configuration.
[root@rhcsa ~]# setenforce 0
[root@rhcsa ~]# systemctl restart sshd
It seems it was SELinux. Now, let’s adjust the ssh port policy that SELinux has with the semanage command. We are going to use the -a, -t and -p options. More information on these can be found with semanage port -h.
[root@rhcsa ~]# semanage port -a -t ssh_port_t -p tcp 2022
And let’s check the result with the semanage port -l | grep ssh. As we can see the port 2022 is added to the security port policy of SELinux.
[root@rhcsa ~]# semanage port -l | grep ssh
ssh_port_t tcp 2022, 22
And now, to test if we can start the ssh service with SELinux enabled:
[root@rhcsa ~]# setenforce 1
[root@rhcsa ~]# systemctl restart sshd
Woohoo we have done it. And now, to revert the port back to 22 so that we can keep training, use the below “one-liner”.
sed -i 's/^Port 2022/Port 22/g' /etc/ssh/sshd_config; systemctl restart sshd