Post

Day 5 of 100 Days of Devops

SElinux Installation and Configuration

Posted Updated
By
2 min read
Day 5 of 100 Days of Devops

The Requirement is as follow

Following a security audit, the xFusionCorp Industries security team has opted to enhance application and server security with SELinux. To initiate testing , the following requiredments have been established for App Server 2 in the Stratos DataCenter.:

  1. Install the required SELinux Packages.
  2. Permently disabled SELinux for the time being; it will be re-enabled after necessary configuration changes.

  3. no need to reboot the server as a scheduled maintenance reboot is already planned for tonight.

  4. Disregard the current status of SELinux via the command line, the final status after the reboot should be disabled.

So I first check the OS by os release , as there are different distros out there. Its always good to check the OS.

Check the OS

cat /etc/os-release 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://issues.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

Install the Packages

Then install SElinux Packages using yum as I used to know yum is for RHEL package management.

as always we dont know the exact package name so we can used built in tool called . As always you will need administrator(root) access for package installation.

Switching to root using sudo -i

then search the package yum search --all selinux

install the package.

yum install -y selinux-policy selinux-policy-targeted

Configuration

In order to configure the configuratons, as always we can check inside /etc as etc is to store system wide configs since SELinux is system wide policy enforcing. I believe it should be there.

Open the file with vi editor. vi /etc/selinux/config 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# See also:
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes-at-boot-time_changing-selinux-states-and-modes
#
# NOTE: Up to RHEL 8 release included, SELINUX=disabled would also
# fully disable SELinux during boot. If you need a system with SELinux
# fully disabled instead of SELinux running with no policy loaded, you
# need to pass selinux=0 to the kernel command line. You can use grubby
# to persistently set the bootloader to boot with selinux=0:
#
#    grubby --update-kernel ALL --args selinux=0
#
# To revert back to SELinux enabled:
#
#    grubby --update-kernel ALL --remove-args selinux
#
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Then Change it SELINUX=enforcing to SELINUX=disabled and save it.

Then we can check it through sestatus for selinux verification.

PS: usually sestatus only effects after restart and sometimes it takes time to start while the policy is applying through out your system according to config.

For our problem they mentioned that Disregard the selinux status so we can keep it without restart.

Thats all of today , Thx Bye !

CS
DevOps Linux 100-Days-Of-DevOps
This post is licensed under CC BY 4.0 by the author.