How to do it…

The state of SELinux can be changed on the fly using the command setenforce with the parameters 1 or 0. Using 1 puts SELinux into enforcing mode, while 0 puts it into permissive mode.

Additionally, you can edit the configuration file, /etc/selinux/config, and set the field SELinux to any one of the three states. This is also the only way to disable SELinux.

While disabling SELinux is tempting for many admins, it can easily be updated to allow the required behavior.

SELinux also logs to the /var/log/audit/audit.log file by default.

How it works…

SELinux has several layers of security managing files, ports, and kernel modules. They are all managed by the semanage command.

semanage

semanage is a command-line tool used that’s to manage SELinux policies in Linux systems. It is used to create, modify, or delete SELinux policies, as well as manage file contexts and network ports. Here are some common uses of the semanage command:

• semanage can be used to create, modify, or delete policy modules. For example, you can create a new policy module with the following command:

semanage module -a kernelmodule.pp

This will add the policy module kernelmodule.pp to the SELinux policy.

• semanage can be used to manage file contexts, including adding or modifying contexts for specific files or directories. For example, you can add a new file context with the following command:

semanage fcontext -a -t httpd_sys_content_t ‘/var/www/html(/.*)?’

This will add a new file context that allows the HTTPd process to access files and directories under /var/www/html.

• semanage can be used to manage network ports and services, including adding or modifying port types and policies. For example, you can define a new port type with the following command:

semanage port -a -t www2 -p tcp 8080

This will add a new port type www2 for TCP port 8080.

• setsebool: SELinux has Boolean variables that can be either enabled or disabled to control specific security policies. To change the value of these variables, you can use the setsebool command to enable or disable certain SELinux policies. A useful example is when you set httpd_can_network_connect to true for a web server:

setsebool -P httpd_can_netowork_connect on

• getsebool: To view the status of SELinux policies, you can use the getsebool command. This command displays Boolean variables that can enable or disable certain policies. To view all values, use the -a option. Alternatively, you can pass a specific value to check, as shown in this example:

getsebool httpd_can_network_connect
httpd_can_network_connect –> off