Keeping SELinux active

SELinux, or Security-Enhanced Linux, is a security module that provides mandatory access control (MAC) policies in the Linux kernel. It is needed because it offers a higher level of security for Linux systems by enforcing strict rules on what processes and users can do on the system. By default, Linux uses discretionary access control (DAC), which means that any user or process can access any file or resource, as long as they have the appropriate permissions. This can lead to security vulnerabilities, as any compromised process or user can potentially access and modify sensitive data or system files.

SELinux adds an extra layer of security by enforcing mandatory access control policies that restrict access to files and resources based on the security context of the process or user. This means that even if a process or user has the appropriate permissions, they will only be able to access resources that are explicitly allowed by the SELinux policy.

This recipe will cover how to create a custom SELinux policy instead of disabling it and how to allow services to do things such as bind to low ports (<1024).

Getting ready

As with the other test, we will need an Oracle Linux system to play with. Nothing else is required. The system is enabled by default on most installations. To see the status of SELinux, you can use the command getenforce. The command will return the current active state. There are three states:

• enforcing – SELinux is active and blocking activity that is not allowed
• permissive – SELinux is enabled, but will not block any activity
• disabled – SELinux is disabled

Addition commands are available if you install the setools using dnf:
dnf install -y setools-console

You can also use the command sestatus to get more information about SELinux:
[root@ol8 ~]# sestatus
SELinux status:                         enabled
SELinuxfs mount:                    /sys/fs/selinux
SELinux root directory:             /etc/selinux
Loaded policy name:              targeted
Current mode:                    enforcing
Mode from config file:           enforcing
Policy MLS status:               enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:       31

You can also use the SELinux type to manage resources. SELinux types are labels used to classify various resources in a Linux system, such as processes, files, directories, and network ports. SELinux types are an important part of SELinux security policies, as they determine which processes and users can access specific resources on the system.

There are several types of SELinux types, including the following:

• User types: User types are used to define the security context of a user. They are also used to confine the actions of a user to a specific set of resources on the system.
• Role types: Role types are used to define the security context of a role. They are also used to confine the actions of a user to a specific set of resources on the system.
• Domain types: Domain types are used to define the security context of a process. Each process on the system is assigned a unique domain type, which determines which resources the process can access.
• Type enforcement types: Type enforcement types are used to define the security context of a file or directory and confine the actions of a process to a specific set of resources on the system.
• Network port types: Network port types are used to define the security context of a network port. Network port types are used to restrict network access to specific ports or services on the system.

In addition to these types, there are also several special types used by SELinux, such as the unconfined_t type, which is used for processes that are not confined by SELinux, and the system_u and root_t types, which are used for system resources and processes.