Categories: Ubuntu

SELinux on Ubuntu Tutorial

One way to enhance your Linux system’s security is by adding an extra security layer using SELinux. With Security-Enhanced Linux (SELinux), the applications on your Linux systems get isolated from each other, protecting your host system. By default, Ubuntu uses the AppArmor, a Mandatory Access Control system which enhances the security, but you can use the SELinux to achieve the same.

SELinux is beneficial, and in case of a security breach on your system, it prevents the spread of the breach to protect your system. Moreover, the tool protects the web servers depending on the mode you set for the SELinux. This guide offers a hands-on tutorial on how to disable the AppArmor, install the SELinux, enable the different modes, and disable SELinux.

Getting Started with SELinux

Note that before you proceed with SELinux, there is a risk in using it, especially since it can render your system unusable. So, only use it if you must and in such applicable case. Besides, it’s always safer to disable the AppArmor before installing the SELinux.

To disable the AppArmor, run the following command:

1
$ sudo systemctl stop apparmor

Once the AppArmor stops, restart your system.

How to Install SELinux on Ubuntu

Once you disable or remove the AppArmor, open your terminal and run the following command to install SELinux.

1
2
3
$ sudo apt update

$ sudo apt install policycoreutils selinux-utils selinux-basics

Once the installation is successful, you need to activate the tool. You can do that using the following command:

1
$ sudo selinux-activate

Enabling SELinux Modes on Ubuntu

There are three different modes that you can use with SELinux. The first is disable, which does the same as its name. It disables using the SELinux service. When SELinux is activated, you can set it to permissive or Enforcing modes. In the permissive mode, only the monitoring of the interaction is done. However, if you want to filter and monitor the interaction, use the enforcing mode.

Let’s start by setting the enforcing mode. Use the following command:

1
$ sudo selinux-config-enforcing

Alternatively, you can use the setenforce command to set the enforcing mode. The command for this is as follows:

1
$ setenforce 1

Once you set the mode, you need to reboot your system for it to take effect.

1
$ reboot

Note that the relabelling process starts during the restart. The system reboots normally once it is complete. During relabelling, you should note a warning message like in the following image:

After a successful reboot, you can run the following command to check the SELinux status. It should be set to enforcing.

1
$ sestatus

The enforcing mode is the default set by SELinux. In this state, most if not all the requests get blocked. The solution is to select the permissive mode, which logs all the violated rules. You can check the log file for details.

To set the permissive mode, use the following command:

1
$ setenforce 0

Go ahead and check the mode using the setstatus command or use the getenforce command:

1
2
3
4
5
$ setstatus

or

$ getenforce

With getenforce, you will only see the name of the current mode, but the setstatus shows more details about the currently set mode.

Note that you must restart the system to switch between the two modes. Besides, you can view the set modes from the /etc/sysconfig/selinux file.

As we noted, the permissive mode is more flexible and won’t necessarily block all the requests. Instead, it keeps a log file when the rules get violated. To access the log file, you can use the following command:

1
$ grep selinux /var/log/audit/audit.log

To set the permissive mode, use the following command:

1
$ sudo setenforce 0

How to Disable SELinux

We’ve seen how to enable and set the different SELinux modes. But how about disabling it? The best option is to disable it from the config files permanently. For this, open the file using an editor like nano. Then, change the mode from enforcing to disabled, as shown in the following command:

1
$ sudo nano /etc/selinux/config

Once opened, look for the SELINUX=enforcing line and change it to SELINUX=disabled.

Conclusion

The AppArmor is the extra security layer in Ubuntu and other Linux systems. However, if you prefer using the SELinux, we’ve covered how you can install, enable, and use its different modes. Before installing the SELinux, make sure you disable the AppArmor and restart the system. Also, proceed with caution when using the SELinux to avoid messing up with your system.

Ubuntu Server Admin

Recent Posts

Building RAG with enterprise open source AI infrastructure

One of the most critical gaps in traditional Large Language Models (LLMs) is that they…

18 hours ago

Life at Canonical: Victoria Antipova’s perspective as a new joiner in Product Marketing

Canonical is continuously hiring new talent. Being a remote- first company, Canonical’s new joiners receive…

2 days ago

What is patching automation?

What is patching automation? With increasing numbers of vulnerabilities, there is a growing risk of…

3 days ago

A beginner’s tutorial for your first Machine Learning project using Charmed Kubeflow

Wouldn’t it be wonderful to wake up one day with a desire to explore AI…

4 days ago

Ubuntu brings comprehensive support to Azure Cobalt 100 VMs

Ubuntu and Ubuntu Pro supports Microsoft’s Azure Cobalt 100 Virtual Machines (VMs), powered by their…

4 days ago

Ubuntu Weekly Newsletter Issue 870

Welcome to the Ubuntu Weekly Newsletter, Issue 870 for the week of December 8 –…

5 days ago