Hello, friends. There are many questions about SELinux in Rocky Linux 9, but today we will talk a little about this tool and clarify some basic points to move forward with it.
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that gives administrators more control over who can access the system. Thus, SELinux helps Linux become a more secure system without losing configurability.
In short, SELinux defines access controls for applications, processes, and files within a system. This means that it uses security policies, which consist of a set of rules, to tell SELinux which elements can be accessed.
So, it is the task of a sysadmin to know his system and the applications and services it serves, to define the rules on which these accesses are provided. Probably, at the beginning, it is something annoying or uncomfortable, but later it becomes usual and necessary.
Install SELinux on Rocky Linux 9
RHEL-based distributions include SELinux by default in their installations, so you don’t have to install anything. However, what can happen is that SELinux is disabled by default.
To find out if this is the case, open a terminal and run
sestatus
You will get an output screen similar to this one
There you can quickly check if SELinux is enabled.
SELinux has 3 working modes that you can play with according to the circumstances.
- Enforcing: Deny access according to the policy rules. This is the mode you should be in.
- Permissive: Allow unauthorized access, but show alerts about them,
- Disabled: Disables Selinux completely.
In addition to this, SELinux incorporates two policies on how to apply the rules:
- Targeted: is the default policy and affects services that SELinux handles, such as protocols and base applications.
- (MLS/MCS): Enables multi-level or multicategory security.
If you want to change mode temporarily, then you can run with root permissions.
To enter permissive mode:
setenforce 0
Or for Enforcing mode
setenforce 1
But if you would like to disable it or make the changes permanent, then you can edit the file /etc/selinux/config
.
vi /etc/selinux/config
And search for SELinux
and give it the value you want. In that same file, you will know the options to set. To disable it:
SELINUX = Disabled
Save the changes and restart the system.
This way, you already have a general idea of how SELinux works, now it remains to know the rules.
Conclusion
SELinux is important on many RHEL-based systems, so it is good to have a general idea of how it works and how it behaves.