How to Use SELinux
According to the official Security Enhanced Linux project page, SELinux is a security enhancement for Linux. It is widely used in Linux-based security-sensitive projects. Ubuntu 22.04 is compatible with SELinux, and these instructions will make it available on your Ubuntu 22.04 host. The steps in this guide appear as command line instructions. Both physical and virtual machines can be configured for SELinux, but you cannot enable SELinux in a Docker container without additional steps that are not covered in this guide.
SELinux Installation
SELinux is based on access control, which determines how different users can and cannot read, write, update, remove, or otherwise change different resources, and how administrators manage those differences. Over twenty years ago, SELinux introduced tools to enhance conventional Linux so these administrative chores are now less complex and more reliable. Currently, SELinux is implemented as a Mandatory Access Control (MAC) module within the kernel.
A standard modern Ubuntu distribution includes AppArmor, a Linux application security system that emphasizes ease-of-use and routine reliability. Both AppArmor and SELinux work through the Linux Security Module (LSM) interface. Since Linux only permits a single LSM to be active, the first step in an SELinux installation is to deactivate AppArmor.
SELinux alters parts of Linux profoundly. An error in its installation can easily render an entire host unresponsive. Therefore, make backups, be prepared to dispose or recycle a particular instance, and work with care. Start your SELinux experiments in permissive mode, and make backups again before any switch to enforcing mode. The simplest SELinux installations are somewhat time-consuming, as they affect the entire filesystem, and each reboot takes a while, since SELinux methodically confirms the state of all filesystems and other resources.
Stop and Remove AppArmor
-
It’s good practice to begin any Linux installation work by ensuring a consistent package state with:
sudo apt update && sudo apt upgrade -y -
Your Ubuntu 22.04 installation probably runs AppArmor by default. To verify its status, request:
systemctl status apparmorThere are several lines of output, including “… enabled … SUCCESS …”.
-
Press
Qto close the status info. Note: A few variants of Ubuntu 22.04 for embedded computing do not run AppArmor. Therefore, if you see the message “… apparmor.service could not be found …”, you can safely skip the next paragraphs and proceed directly to the “Install SELinux” section below. -
In the more common case, where AppArmor is running, stop it:
sudo systemctl stop apparmor -
Now disable AppArmor to prevent it from re-enabling:
sudo systemctl disable apparmor
It is not necessary, or even desirable, to remove AppArmor. Most administrators leave it installed, but stopped and disabled.
Install SELinux
-
Install SELinux:
sudo apt install policycoreutils selinux-basics selinux-utils -y -
Enable SELinux:
sudo selinux-activateNow you see:
SELinux is activated. You may need to reboot now.
Do not reboot immediately! First, review the current state of your new SELinux host.
Verification
-
To confirm the current status of your installation, use the command:
getenforceThis shows the one-word response:
Disabled
This means that your SELinux is ready to work. It’s “active” but not yet turned on.
While getenforce provides the current state of SELinux, sestatus is a different command that provides more details.
-
When you enter:
sestatusYou see:
SELinux status: disabled
While this output is similar to getenforce, once SELinux is enabled, sestatus reports more fully on the configuration, as detailed later.
Configuration of Permissions to Allow for Reboot
SELinux can be enabled in one of two states: permissive or enforcing. Your current SELinux installation is disabled.
If you connect to your host via SSH, access will be lost once SELinux is enabled. If you are using a VPS host, you can still log in via the LISH console.
-
Reboot, and the Ubuntu 22.04 host likely comes up with SELinux “on”:NoteThe first reboot with SELinux enabled begins a relabelling process that could take a long time, so be patient.
sudo reboot -
Verify this through examination of
/etc/selinux/config:cat /etc/selinux/configIt should include the line:
SELINUX=permissive
The presence of /etc/selinux/config indicates that the host is ready for configuration, and a reboot is needed to make most configurations effective. Here’s how it works:
- Installation creates
/etc/selinux/config. - Configuration updates
/etc/selinux/config. - A reboot applies the SELinux configuration.
SELinux Management
SELinux has several options beyond the scope of this guide. Configuration is commonly achieved through configuration files rather than graphical user interface (GUI) or command line applications.
Enabling SELinux
Basic configuration of an SELinux installation starts with the SELINUX attribute in /etc/selinux/config.
-
Open
/etc/selinux/config:sudo nano /etc/selinux/config -
Enable SELinux by changing the line:
SELINUX=permissiveto
SELINUX=enforcing -
Press CTRL+X to exit
nano. - Press Y to confirm.
- Press ENTER to save.
-
The next time the host is rebooted, it comes up as an enforcing SELinux instance:
sudo reboot -
Verify this again via /etc/selinux/config:
cat /etc/selinux/configIt should include the line:
SELINUX=enforcing
SELinux Policies
/etc/selinux/config controls how an SELinux instance launches. However, it’s possible to adjust the action of SELinux between reboots with setenforce.
-
Temporarily put SELinux in permissive mode with:
sudo setenforce 0 -
Check the current status of SELinux with:
getenforceThis should now display:
Permissive -
Now check the status of SELinux again using
sestatussestatusYou not only see the current SELinux mode, but also the config file (boot) mode, and other information:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 33 -
Switch SELinux back from
permissivetoenforcingmode with:sudo setenforce 1 -
Check the current status of SELinux again:
getenforceThis should now display:
Enforcing -
Confirm the status again using
sestatussestatusYou can see that
setenforceonly changes the current mode:SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 33
The getenforce command can output other values besides Enforcing such as Permissive and Disabled. Note that these values are capitalized, unlike the values used in /etc/selinux/config.
How to disable SELinux
There are two distinct ways to disable SELinux:
- Stop SELinux enforcement immediately, which will only last until the next reboot. After that, SELinux will return to enforcement.
- Permanently disable SELinux enforcement, so that it’s not in effect after each boot operation.
It is common to refer to SELinux’s permissive operation as “disabled”. This first description may be confusing, however, because although SELinux is disabled and users cannot see its actions, it remains active. When SELinux is in permissive mode, it logs access violations but does not enforce them. To fully disable SELinux, including disabling its logging and other background activities, the /etc/selinux/config file must be updated and the system must be rebooted using sudo reboot.
Conclusion
Installing, enabling, and activating SELinux on Ubuntu 22.04 requires fewer than two dozen commands. This allows you to quickly have an enforcing SELinux. However, for details on configuring SELinux to meet specific requirements, refer to other resources.