SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) mechanism that enforces strict security policies on Linux systems. This guide covers the installation and configuration of SELinux on an Ubuntu VPS, along with a step-by-step example of how to implement security policies to protect applications from potential threats.
10 min
Edited:13-10-2024
SELinux is a security feature originally developed by the United States National Security Agency (NSA) that enforces strict access policies. It can protect your system from being compromised by limiting what processes and applications can access, even if they are running with root privileges.
Enhanced Security: SELinux prevents unauthorized processes from accessing critical files and directories.
Fine-Grained Control: It offers detailed control over which actions processes can perform, improving security.
Policy Enforcement: Unlike traditional permissions, SELinux policies are mandatory, ensuring consistent and strong security enforcement.
Unlike some Linux distributions where SELinux is enabled by default (e.g., Fedora or CentOS), Ubuntu uses AppArmor by default. However, you can install and enable SELinux on Ubuntu manually. Here’s how you can do that.
To install SELinux on your Ubuntu VPS, first ensure that your system is up to date:
1. sudo apt update
2. sudo apt upgrade
Then, install the necessary SELinux packages:
1. sudo apt install selinux selinux-utils selinux-basics policycoreutils
This will install SELinux utilities and basic components required to manage and configure SELinux policies.
After installation, initialize SELinux using the following command:
1. sudo selinux-activate
This command prepares your system for SELinux use by setting up necessary configurations.
SELinux can operate in several modes:
Enforcing: SELinux policy is enforced, and access violations are denied.
Permissive: SELinux is in warning mode; violations are logged but not enforced.
Disabled: SELinux is turned off completely.
To configure SELinux in enforcing or permissive mode, edit the SELinux configuration file:
1. sudo nano /etc/selinux/config
You should see a line similar to:
1. SELINUX=permissive
Change it to enforcing or leave it as permissive for testing purposes. In enforcing mode, SELinux policies are applied, while permissive mode will only log policy violations.
After making changes, save and exit the file. Then, reboot your VPS to apply the SELinux configuration:
1. sudo reboot
Once your VPS has rebooted, you can check the status of SELinux with the following command:
1. sestatus
If SELinux is properly configured, you will see its status as enabled and its current mode (enforcing or permissive).
SELinux enforces security policies that define what resources processes can access. These policies can be customized to fit your security needs. By default, SELinux ships with predefined policies, but you can create custom policies as well.
You can list the current SELinux policies applied to processes and files using the ps and ls commands with their respective SELinux options:
To view SELinux security contexts for running processes:
1. ps -eZ
To view SELinux security contexts for files and directories:
1. ls -Z
The security context consists of user, role, type, and level. Each component defines permissions and controls how processes and files interact.
Before configuring a policy, it's often useful to switch SELinux to permissive mode to test whether applications will function without being blocked by SELinux policies:
1. sudo setenforce 0
This puts SELinux in permissive mode temporarily, and violations will be logged instead of enforced.
For this example, let's assume we want to secure the Apache web server with SELinux policies. First, install Apache if it's not already installed:
1. sudo apt install apache2
Start the Apache service:
1. sudo systemctl start apache2
Now, let’s check the security context of the Apache executable:
1. ls -Z /usr/sbin/apache2
SELinux assigns a type to each resource, and processes are restricted to accessing only resources of specific types. If Apache isn’t working as expected, you can troubleshoot with SELinux logs.
When SELinux denies an action, it logs the event. You can view SELinux-related logs to identify policy violations:
1. sudo cat /var/log/audit/audit.log | grep AVC
Each denial event will have details about the process that was denied access and why.
For example, if Apache tries to access a directory it’s not allowed to, you might see an AVC (Access Vector Cache) denial in the logs.
If Apache is being blocked from accessing specific files or directories, you can create a custom policy module to allow it. Here’s how you can generate a policy module to allow access.
1- Generate a Policy Module:
Use the audit2allow tool to generate a custom SELinux policy based on the denials in the logs:
1. sudo cat /var/log/audit/audit.log | grep apache2 | audit2allow -M myapache
2- Install the Custom Module:
Once the policy module is created, install it with:
1. sudo semodule -i myapache.pp
This policy will now allow Apache to perform the actions that were previously blocked by SELinux.
Once you’ve verified that everything works as expected, you can switch back to enforcing mode:
1. sudo setenforce 1
Let’s look at a real-world example of using SELinux to secure a web application running on Apache.
1. sudo apt install apache2
2. sudo systemctl start apache2
Create a new directory for your web application:
1. sudo mkdir /var/www/myapp
If Apache is unable to serve files from this directory due to SELinux policy violations, you can view the log and create an appropriate policy.
Use chcon to change the SELinux security context of the directory to a type that Apache is allowed to read:
1. sudo chcon -R -t httpd_sys_content_t /var/www/myapp
Now, try accessing the web application via the browser. If SELinux is configured correctly, Apache should serve the files without any permission issues.
SELinux is a powerful tool that adds an additional layer of security to your Ubuntu VPS. Although it’s not enabled by default in Ubuntu, you can install and configure SELinux to enhance the security of your applications by enforcing strict access policies. With the steps outlined in this guide, you can install SELinux, create custom security policies, and protect your system from unauthorized access, even in the case of vulnerabilities in applications.
14-10-2024
This article offers a detailed guide on installing and configuring IPTables on an Ubuntu VPS. IPTables is a powerful firewall tool that helps secure your server by controlling inbound and outbound traffic. Learn how to set up rules for traffic filtering, configure basic security policies, and apply custom rules to protect your VPS.
IPtables
security
12 min
This article offers a comprehensive guide on installing and configuring ModSecurity, a powerful web application firewall (WAF), on an Ubuntu VPS. Learn how to secure your server by filtering and monitoring HTTP requests, set up ModSecurity with Nginx or Apache, and apply rules to protect against common web attacks.
Modsecurity
security
10 min
14-10-2024
This article provides a comprehensive guide on installing and configuring PHP-FPM (FastCGI Process Manager) on an Ubuntu VPS. Learn how to optimize PHP performance for your web applications by configuring PHP-FPM with Nginx or Apache, managing pools, and fine-tuning settings for efficient processing of PHP scripts.
PHP-FPM
speed
optimise
12 min