SELinux
DAC vs. MAC: The Logic
Section titled “DAC vs. MAC: The Logic”To understand SELinux, you must understand the two types of control:
- DAC (Discretionary Access Control): This is the $rwx$ system you already know. The “owner” has the discretion to set permissions.
- MAC (Mandatory Access Control): This is SELinux. It is a centralized system policy. Even if a file is
777, SELinux can block a process (like a web server) from touching it if the policy says “Web servers don’t touch home folders.”
SELinux Modes
Section titled “SELinux Modes”At any time, your system is in one of these three states:
| Mode | Behavior | Purpose |
|---|---|---|
| Enforcing | Actively denies access based on policy. Logs every denial. | Standard “Production” security. |
| Permissive | Allows access but logs the policy violation. | Troubleshooting and testing. |
| Disabled | Completely turned off. No logs, no security. | Not recommended unless necessary for specialized apps. |
Check Mode Commands:
getenforce: Returns a one-word status (e.g.,Enforcing).sestatus: Returns a detailed report of the current SELinux configuration.
Configuration and Persistence
Section titled “Configuration and Persistence”SELinux settings are managed in two ways: temporarily (until reboot) or permanently.
- Permanent Config: Edit
/etc/selinux/config.- Look for
SELINUX=enforcing. - Note: Changing from
DisabledtoEnforcingusually requires a reboot because the system needs to relabel every file on the disk.
- Look for
- Temporary Change: Use
setenforce 0(Permissive) orsetenforce 1(Enforcing). This takes effect immediately but resets on reboot.
Booleans: The “On/Off” Switches
Section titled “Booleans: The “On/Off” Switches”Sometimes you don’t want to rewrite a whole policy; you just want to allow a specific action (e.g., “Allow FTP to read home directories”). SELinux uses Booleans for this.
- View all Booleans:
semanage boolean -l - Check a specific state:
getsebool ftpd_anon_write - Change a state:
setsebool ftpd_anon_write on - Make change permanent: Add the
Pflag:setsebool -P ftpd_anon_write on
Policy Modules
Section titled “Policy Modules”SELinux is modular. If you install Apache, an “apache” policy module is loaded to manage it.
- List modules:
semodule -l(Shows the names and versions of active security modules).
Daily Life Application
Section titled “Daily Life Application”- The “I have 777 but it still fails” Problem: If your permissions are correct ($rwx$) and the file path is correct, but your app still gets “Permission Denied,” SELinux is likely the cause.
- The Troubleshooting Trick: Before disabling SELinux entirely, switch to Permissive mode (
setenforce 0).- If the app starts working, you know it’s an SELinux policy issue.
- Check the logs (
/var/log/audit/audit.log) to see exactly which rule is blocking you.
- The Fix: Instead of keeping it off, use a Boolean or fix the file’s SELinux Context (which we will cover next) to keep your system secure.
Would you like me to explain how to view and change File Contexts (the labels like httpd_sys_content_t) so you can fix “Permission Denied” errors properly?