Configure SELinux – Part 1

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. Under SELinux, every process and every object (files, sockets, pipes) on the system is assigned a security context, a label that includes detailed type information about the object. The kernel allows processes to access objects only if that access is explicitly allowed by the policy in effect.

Three such policies have been available for use with Debian and are included with the system:

  • default
  • strict
  • mls

Ensure SELinux is enabled in the bootloader configuration

Overview

Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.

Why:

SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.

Audit:

Run the following command and verify that all linux lines include the parameters selinux=1 and security=selinux

# grep "^\s*linux" /boot/grub/grub.cfg

Fix:

run the following command to configure GRUB and PAM and to create /.autorelabel

# selinux-activate 

Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX

selinux=1 
security=selinux

example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"

Run the following command to update the grub2 configuration:

# update-grub 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A WordPress.com Website.

Up ↑

%d bloggers like this: