Preparatory Steps for SELinux on Ubuntu
Ubuntu does not enable SELinux by default (it uses AppArmor instead), so the first step is to install and activate SELinux. Run the following commands to install core SELinux packages:
sudo apt update
sudo apt install selinux-basics selinux-policy-default selinux-utils
After installation, enable SELinux by editing the configuration file:
sudo nano /etc/selinux/config
Change the SELINUX= line to enforcing (this ensures SELinux is active after reboot) and save the file. To apply the change immediately, run:
sudo selinux-activate && sudo reboot
Verify SELinux is enabled and in enforcing mode using:
sestatus
The output should show Current mode: enforcing.
Understanding Core SELinux Concepts for Access Control
SELinux uses Mandatory Access Control (MAC) to restrict access based on security contexts, which consist of three key components:
system_u for system processes).object_r for files, system_r for processes).httpd_sys_content_t for web files, ssh_home_t for SSH user files).The enforcing mode ensures SELinux blocks unauthorized access based on these contexts. For example, a web server process (httpd_t) can only access files labeled with httpd_sys_content_t unless explicitly allowed by a custom policy.
Restricting Process and File Access with Security Contexts
To prevent unauthorized access, you must ensure files and processes have the correct security contexts. Use these commands to manage contexts:
ls -Z /path/to/file
chcon -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html
For processes, SELinux automatically assigns a context based on the service. For example, an Apache process runs with the httpd_t type, which is restricted to accessing only files labeled for web use. This prevents a compromised web server from reading sensitive system files (e.g., /etc/shadow).
Configuring Boolean Settings for Common Services
SELinux provides booleans—dynamic switches that toggle specific permissions for services. For example, to allow Apache to access user home directories (useful for personal websites), run:
sudo setsebool -P httpd_enable_homedirs 1
The -P flag makes the change permanent. To view all available booleans for a service (e.g., Apache):
sudo semanage boolean -l | grep httpd
Adjusting booleans helps balance security and functionality—for instance, disabling unnecessary access (e.g., httpd_can_network_connect=0) reduces the attack surface.
Creating Custom Policies for Application-Specific Needs
If a service requires access beyond the default policy (e.g., a custom application needs to read logs in /var/log/myapp), you can create a custom SELinux policy module. Here’s a step-by-step guide:
sudo apt install selinux-policy-dev policycoreutils-python-utils
audit2allow to parse SELinux denial logs (e.g., from /var/log/audit/audit.log) and create a policy file:sudo ausearch -m avc -ts today | audit2allow -M my_custom_policy
my_custom_policy.te (policy source) and my_custom_policy.pp (compiled module).policy_module(my_custom_policy, 1.0)
require {
type myapp_t;
class file { read open };
}
allow myapp_t var_log_t:file { read open };
sudo semodule -i my_custom_policy.pp
Monitoring and Troubleshooting SELinux Events
To maintain security, regularly monitor SELinux logs for unauthorized access attempts. Use these tools:
sudo ausearch -m avc -ts recent
sudo audit2why < /var/log/audit/audit.log
sudo grep avc /var/log/audit/audit.log
Logs help identify misconfigurations (e.g., a process needing additional permissions) or potential attacks (e.g., repeated attempts to access restricted files). Adjust policies or contexts based on log analysis to strengthen security.
