Introduction
SELinux is a security mechanism built into the Linux kernel. Linux distributions such as CentOS, RHEL, and Fedora are equipped with SELinux by default.
SELinux improves server security by restricting and defining how a server processes requests and users interact with sockets, network ports, and essential directories.
For example, if an unauthorized user gains access, server access is restricted to a specified section, limiting the damage caused by the data breach. SELinux can also obstruct the installation of software packages or terminate processes during regular use.
Read this short tutorial to learn how to enable SELinux on CentOS 7.
Prerequisites
- A user account with sudo privileges
- Access to a terminal/console
- An RHEL-based system, such as CentOS 7
- A text editor, such as nano
SELinux Modes
SELinux has 3 modes.
- Enforcing mode: This is the default mode. It blocks and logs actions that are against defined policy.
- Permissive mode: Allows actions to take place and logs the events in detail. This mode is useful when testing SELinux features. Changing modes between enforcing and permissive does not require a system reboot.
- Disabled mode: Allows for all actions and does not log any activity. Changing to this mode requires a system reboot for it to apply. Learn more on disabling SELinux.
Check Status of SELinux
To check the current settings type the following command in your terminal:
sestatus
The output confirms that SELinux is disabled.
How to Enable SELinux
To enable SELinux follow these steps:
1. We need to change the status of the service in the /etc/selinux/config file. Use a text editor such as Nano.
For example using nano, access the file with the command:
sudo nano /etc/selinux/config
2. You are now able to change the mode of SELinux to either enforcing or permissive.
Edit the marked line to the mode you need.
3. Next press CTRL + X to save changes and exit the edit mode. Hit ‘y’ and press Enter to confirm.
4. To reboot enter:
sudo reboot
5. To check the status of SELinux by entering sestatus in the command line once again.
The result now confirms that the service is enabled and in enforcing mode.
Change SELinux Mode
Instead of disabling SELinux completely, a good option is to set it to permissive mode. As actions take place,they will leave a trail in the log file.
Note: By default, SELinux log messages are located in the /var/log/audit/audit.log file.
To change the mode from enforcing to permissive type:
sudo setenforce 0
To turn the enforcing mode back on, enter:
sudo setenforce 1
These changes only apply to the current session. They turn back to default after a reboot. To make the changes permanent, edit the configuration file using a text editor, as discribed above.
Conclusion
Now you know how to enable SELinux on CentOS 7. Start protecting your servers today.