How to Enable / Disable SELinux

SELinux, or Security-Enhanced Linux, is a security framework developed to enhance the security of Linux-based operating systems. It closely monitors and controls access to various parts of the system, such as files, processes, and network resources.

The Linux Security Framework implements a Mandatory Access Control model. This means it enforces strict rules defined by system administrators or policies, limiting what each program or user can do, even if they have certain permissions.

SELinux Enabled by Default:

• Red Hat Enterprise Linux (RHEL): Enhanced Linux Security is typically enabled by default in RHEL distributions. Red Hat values security and integrates SELinux as a core component to enhance system security by enforcing mandatory access controls.
• CentOS: Being closely related to RHEL, CentOS also often has SELinux enabled by default for the same reasons as RHEL. It follows a similar security-focused approach.
• Fedora: Fedora, being a bleeding-edge Linux distribution sponsored by Red Hat, generally ships with SELinux enabled by default. It aligns with Red Hat’s security-first philosophy.

SELinux Disabled by Default:

• Debian: Linux Security Policies are not enabled by default in Debian. Instead, Debian utilizes AppArmor, another security framework that focuses on application-level security policies.
• Ubuntu: Similar to Debian, Ubuntu doesn’t have a Linux Kernel Security Module enabled by default. Instead, it uses AppArmor as its mandatory access control framework for added security.
• Arch Linux: Linux Kernel Security Module is not enabled by default in Arch Linux. Arch Linux, known for its minimalist approach, gives users the choice to enable SELinux if they require its security features.

If you are running a Linux version where SELinx is not enabled by default, you can install it with the policytools installer.

sudo apt install policycoreutils

Step 1 – Check Status:

To determine the current status of Linux Security Policies, run

getenforce

Example Output:

Step 2 – Temporary Disable

To temporarily disable Linux Security Framework without rebooting the system:

setenforce 0

Step 3 – Temporary Enable

setenforce 1

Step 4 – Permanently Enable / Disable

To permanently disable Secure Linux, you’ll need to edit the Linux Security Framework configuration file. Open the file /etc/selinux/config using a text editor like nano or vi:

nano /etc/selinux/config

To permanently enable Secure Linux, follow the same steps as above but change SELINUX=disabled to SELINUX=enforcing in the /etc/selinux/config file.

Example Output:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Caution:
Disabling SELinux may expose your system to potential security risks. Only disable it if you have specific reasons and understand the implications.

Remember, while SELinux can be disabled or enabled, it’s a powerful security feature designed to protect your system. It’s recommended to understand how it works and adjust its policies rather than completely turning it off.

Always take caution and create backups before making system-level changes to ensure you can revert if needed.

Want to know more?

1. What is SELinux?

• Answer: Security-Enhanced Linux (SELinux) is a security architecture integrated into the Linux kernel. It provides a flexible mandatory access control framework to strengthen the overall security of a Linux system.

2. How does SELinux enhance security?

• Answer: SELinux goes beyond traditional discretionary access controls by implementing mandatory access controls. It defines and enforces policies that restrict user and process privileges, preventing unauthorized access and potential security threats.

3. What are the main components of SELinux?

• Answer: SELinux comprises three main components: policies, security server, and security contexts. Policies define rules, the security server enforces them, and security contexts label objects to determine their access levels.

4. How can I check if SELinux is enabled on my system?

• Answer: Execute the command sestatus in the terminal. If SELinux is enabled, it will display the current status, enforcing mode, and policy version.

5. What are SELinux modes, and how do they differ?

• Answer: SELinux operates in three modes: Enforcing, Permissive, and Disabled. Enforcing actively denies access violations, Permissive logs violations without enforcement, and Disabled turns off SELinux.

6. Can SELinux policies be customized?

• Answer: Yes, SELinux policies can be customized to meet specific security requirements. Users can create or modify policies using tools like semanage and audit2allow.

7. How do I troubleshoot SELinux denials?

• Answer: Check the audit logs (/var/log/audit/audit.log) for AVC (Access Vector Cache) denials. Tools like ausearch and audit2why help interpret denials and suggest corrective actions.

8. Can SELinux be temporarily disabled?

• Answer: Yes, SELinux can be temporarily disabled using the command setenforce 0. However, it’s not recommended for security reasons, and disabling should only be done for troubleshooting purposes.

9. How can I restore default SELinux policies?

• Answer: To restore default SELinux policies, use the restorecon command. For example, restorecon -R / will restore the default security contexts for files and directories.

10. Are there alternatives to SELinux for Linux security?

• Answer: Yes, alternatives like AppArmor and grsecurity exist. Each has its own approach to enhancing Linux security, and the choice depends on specific system requirements.