Install SELinux on Ubuntu 18.04
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Ubuntu has a Mandatory Access Control (MAC) system similar to SELinux, named AppArmor. Both SELinux and AppArmor provide a set of tools to isolate applications from each other to protect the host system from being compromised. AppArmor offers Ubuntu users mandatory access control options, without the perceived difficulty or learning curve that SELinux may have. However, if you are switching to Ubuntu 18.04, are already familiar with SELinux, and would like to use it to enforce security on your system, you can install it by following the steps in this guide.
- This guide is written for a non-root user. Commands that require elevated privileges are prefixed with
sudo. If you’re not familiar with the
sudocommand, you can check the Users and Groups guide.
Update the system:
sudo apt updateThe Linode kernel does not support SELinux by default. If the system is running a Linode kernel, you need to change to an upstream kernel in order to use SELinux. See the How to Change Your Linode’s Kernel for more steps. Once the kernel is set to the upstream kernel, continue with the steps in this guide.
Install MySQL/MariaDB on Ubuntu
Stop AppArmor using systemctl:
sudo systemctl stop apparmor
Purge AppArmor from the system:
Do not purge AppArmor if you believe you may reuse it in the future. If you would like to preserve the AppArmor configuration files, use the
sudo apt remove apparmor
sudo apt purge apparmor
Update the system:
sudo apt update && sudo apt upgrade -yuf
Reboot the Linode:
Install the SELinux package along with supporting packages to manage the installation.
sudo apt install selinux selinux-utils selinux-basics auditd audispd-pluginsDuring the installation, the system prompts you to reboot the system for the changes to take effect. Select Yes to continue.
Verify the status of SELinux installation. The status of SELinux installation should be
Reboot the Linode for the installation to complete:
sudo rebootAfter rebooting the system, SELinux should be enabled, but in permissive mode. Permissive mode means any actions that would have been disallowed are allowed, but logged in the audit log file located in the
Log back into the Linode via SSH. Replace
192.0.2.0with the IP address of the Linode.
Verify the status of the SELinux installation:
An output similar to the following appears:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
To put SELinux into enforcing mode, use the
setenforcecommand. When in enforcing mode, any actions not permitted by the system are blocked and the corresponding event is logged in the audit log file.
sudo setenforce 1
enforcingmode after reboot, edit the SELinux configuration file located in
/etc/selinux/configfrom the default
- File: /etc/selinux/config
1 2 3 4 5 6 7
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
If you have set SELinux to enforcing mode, ensure that the SSH port has access before logging out of the current session.
sudo semanage port -l | grep 'ssh'
An output similar to the following appears, if TCP is allowed on port 22:
ssh_port_t tcp 22
If you do not see the this entry, open the port with the following command:
sudo semanage port -a -t ssh_port_t -p tcp 22
SELinux comes with a set of pre-built policies to handle requests that drive security. These policies determine if any request should be allowed to be processed.
For example, to enable a policy that allows MySQL requests through SELinux. MySQL’s documentation recommends that you disable SELinux to handle such requests, but there are other and better options.
Using permissive mode:
setenforce to 0, now SELinx allows everything but also logs it.
Now, when you either reboot or set
setenforce to 1 again, SELinux permissions return to old policies.
But this isn’t helpful if you wish to work frequently as you have to adjust
setenforce every time you want to allow mysqld process.
Building a local SELinux policy to Enable MySQL Process
To enable SELinux policy locally for mysqld process, you can execute the following command:
grep httpd /var/log/audit/audit.log | audit2allow -M mysqlpol semodule -i mysqlpol.pp
You have now enabled a local SELinux policy by using a mysqlpol.pp.
You can also make this permanent or global by using setsebool command. To make this globally permanent, run the following command:
setsebool -P httpd_can_network_connect_db 1
Enabling SELinux policy to write to a file or folder
In this example, you can enable the SELinux policy to gain write access to
Also check the policy booleans on
file1 before moving forward. To do so, run the following command:
An output similar to the following appears:
Policy booleans: abrt_anon_write off abrt_handle_event off allow_console_login on allow_cvs_read_shadow off allow_daemons_dump_core on allow_daemons_use_tcp_wrapper off allow_daemons_use_tty on allow_domain_fd_use on allow_execheap off allow_execmem on allow_execmod on allow_execstack on allow_ftpd_anon_write off allow_ftpd_full_access off …
The result is truncated as it is too long. But, after inspecting the booleans, none of these booleans can allow httpd access to
file1. The solution here is to provide a context of
httpd_sys_rw_content_t to the directory structure. Or, you can also give
public_content_rw_t context to the directory structure with
SELinux in enforcing mode and allowing daemons to access files at non-default locations
Here’s another SELinux policy example to understand various permissions at a deeper level. In this case, you want to enable SELinux to permit daemons to access files that are in a non-default location. When you run a daemon in a permissive mode, you can access these files but with policy enforced, you won’t be able to access the same files and see AVC denial messages instead.
The goal here is to be able to configure SELinux policy in enforcing mode to still allow daemons to access files in those locations.
To do so, run the following command:
semanage fcontext -l /daemon_old_path/
Now, check the default context of SELinux in the directory, and find the default context of the target daemon’s folder. This allows you to configure SELinux contexts and move your context too.
Here is an example where the context is
# semanage fcontext -l ... /var/www(/.*)? all files system_u:object_r:allow_daemons_use_tty:s0
Now apply these contexts using the following command:
semanage fcontext -a -t allow_daemons_use_tty '/newcontextpath(/.*)?'
Now that you have applied contexts to the new path above, you can enforce everything in this path to get that context by:
restorecon -RFvv /newcontextpath
To check the status run the following command:
ls -Zd /newcontextpath
After making these changes, you have to re-index man db by executing the following command:
To finish this, run man -k selinux to list all SELinux man pages.
The daemon can now access the files placed in a non-default location.
Disabling SELinux on Ubuntu is very straightforward, and you can decide if you wish to temporarily turn off or permanently turn it off. When you disable SELinux temporarily, it temporarily turns off all SELinux policies, but once the system restarts SELinux policies are in place again.
Disabling SELinux Policies on Ubuntu temporarily
To disable all SELinux policies on Ubuntu temporarily, run the following command:
Permanently Disable SELinux policies on Ubuntu
If you wish to permanently disable SELinux even when the system reboots, make changes to the
/etc/selinux/config file and set SELINUX to disabled. Change the SELinux line as shown below:
And, now if you restart the system, SELinux and its policies won’t be in place anymore.
After installing SELinux on the system, use the Getting Started with SELinux Guide to learn the basics of SELinux security.
This page was originally published on