Secure Your Linux Applications: Configure SELinux for applications and services

Introduction

Security-Enhanced Linux is a powerful security system that is enabled, by default, on most Linux distributions based on RHEL. Here are the general steps to configure SELinux for applications and services:

In this blog, we will explore the process of configuring SELinux to safeguard your applications, providing a detailed understanding of SELinux modes, Booleans, custom policies, and troubleshooting tips.

For example, the Apache web server. Apache on RHEL-based distributions defaults to the /var/httpd directory as the document root and ports 80 (for HTTP) and 443 (for HTTPS) when installed.

You can use a different directory and port for a website might opt for /opt as the document root and port 8080.

Out of the box, SELinux denies those nonstandard options, so they must be configured to work properly.

configure SELinux for nonstandard configurations

You also need a user with sudo privileges.

Install Apache

First, you need to install the Apache web server on a Linux distribution such as Rocky Linux, AlmaLinux, or RHEL.

sudo dnf install httpd -y
sudo systemctl enable --now httpd

Install SELinux Utilities (if needed):

If SELinux is not installed on your system, install the necessary packages. The package names might vary depending on your Linux distribution. For example, on CentOS/RHEL systems, you can use:

sudo dnf install policycoreutils-python-utils setroubleshoot selinux-policy selinux-policy-targeted selinux-utils -y

Check the default ports

To verify SELinux is allowing Apache to serve sites via the default ports,

The output terminal

http_cache_port_t    tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t    udp 3130
http_port_t          tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t  tcp 5988
pegasus_https_port_t tcp 5989

For example, change the port Apache 80 to 9099 port.

sudo nano /etc/httpd/conf/httpd.conf

Change Listen 80 to Listen 9099

Change the document root

The first, To change the document root in httpd.conf file.

DocumentRoot “/var/www/html” to DocumentRoot “/opt/www”

Create, and change permissions for the new document root as the command line below:

sudo mkdir /opt/www
sudo chmod -R ug+w /opt/www
sudo nano /opt/www/index.html #Create index file

In that file, paste the following:

<!DOCTYPE html>
<html>
<body>

<h1>Apache Welcome Page</h1>
<p>Welcome to Apache.</p>

</body>
</html>

Restart Apache

In order to restart Apache, make SELinux aware of the new port.

sudo semanage port -a -t http_port_t -p tcp 9099
sudo systemctl restart httpd # Restart Apache

Make SELinux aware of the directory

To do this with the following command

sudo matchpathcon /var/www/html /opt/www
sudo semanage fcontext -a -t httpd_sys_content_t "/opt/www(/.*)?"
sudo restorecon -RFvv /opt/

Open port 9099 via the firewall

Open port 9099 as the command line below:

sudo firewall-cmd --permanent --zone=public --add-port=9099/tcp
sudo firewall-cmd --reload

SELinux Understand

Understand SELinux Modes

SELinux has three main modes: enforcing, permissive, and disabled. The enforcing mode enforces security policies, the permissive mode logs policy violations but does not block actions, and the disabled mode turns off SELinux.

For production use, you should typically set SELinux to enforcing mode. You can temporarily set it to permissive mode for debugging purposes.

Set SELinux modes

To set the SELinux mode, use the following command:

sudo setenforce <enforcing | permissive | disabled>

For example, to set it to enforcing mode:

sudo setenforce enforcing

Testing and Troubleshooting SELinux:

If issues arise, review SELinux logs in /var/log/audit/audit.log and system logs to identify potential problems.

SELinux Booleans:

You can list available Booleans and their statuses using the semanage boolean -l or getsebool -a command. To change a Boolean value, use the setsebool command.

View SELinux Context:

You can view the SELinux context for a specific file or directory using the ls -Z command.

Creating Custom SELinux Policies (Optional):

This involves using SELinux policy development tools like audit2allow and semodule to define the necessary rules.

Conclusion

Incorporating SELinux into your Linux system’s security posture can significantly improve its resilience against cyber threats.

By following the steps outlined in this guide, you’ll be well-equipped to configure SELinux effectively for your applications and services, bolstering the overall security of your Linux environment.

Remember to continually monitor and update your SELinux configurations to keep up with evolving security challenges. I hope will this your helpful. Thank you for reading the DevopsRoles page!

About HuuPV

My name is Huu. I love technology, especially Devops Skill such as Docker, vagrant, git, and so forth. I like open-sources, so I created DevopsRoles.com to share the knowledge I have acquired. My Job: IT system administrator. Hobbies: summoners war game, gossip.
View all posts by HuuPV →

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.