In this tutorial, we'll explain how to configure SELinux on AlmaLinux.
Security-Enhanced Linux (SELinux) is a powerful security module integrated into the Linux kernel, designed to enforce access control policies that confine user programs and system services. This guide will walk you through configuring SELinux for the Nginx web server on AlmaLinux, ensuring that the web server operates correctly while maintaining a high level of security.
What is SELinux?
Security-Enhanced Linux (SELinux) is a security module integrated into the Linux kernel, which provides a mechanism for supporting access control security policies. The main features of SELinux include:
- Mandatory Access Control (MAC): Unlike traditional Discretionary Access Control (DAC), SELinux applies security policies that users and applications cannot modify. This ensures stricter access controls.
- Granular Permissions: SELinux allows more detailed control over system resources, including files, directories, devices, and network ports.
- Policy Enforcement: SELinux uses policies to define how processes and users can interact with various resources. These policies can be customized to suit specific security requirements.
How to Configure SELinux on AlmaLinux
Step 1: Check SELinux Status
To check the current status of SELinux, use the sestatus command:
sestatus
This will display whether SELinux is enabled or disabled, and its current mode (enforcing, permissive, or disabled).
Step 2: Install SELinux Utilities
If not already installed, you can install SELinux utilities with the following command:
sudo dnf install policycoreutils selinux-policy selinux-policy-targeted
Step 3: Configuring SELinux Modes
SELinux can operate in three modes:
- Enforcing: SELinux policy is enforced.
- Permissive: SELinux policy is not enforced, but violations are logged.
- Disabled: SELinux is turned off.
To change the mode, you need to edit the /etc/selinux/config file:
sudo nano /etc/selinux/config
Modify the SELINUX line to one of the following:
SELINUX=enforcing # Enforce SELinux policies
SELINUX=permissive # Do not enforce policies, but log actions
SELINUX=disabled # Disable SELinux
Save and exit the file.
To apply the changes, you need to reboot the system:
sudo reboot
Step 4: Enabling and Disabling SELinux
You can temporarily change SELinux mode using the setenforce command without rebooting:
sudo setenforce 0 # Set SELinux to permissive mode
sudo setenforce 1 # Set SELinux to enforcing mode
To verify the current mode:
getenforce
Step 5: Configuring SELinux Policies
Installing Additional Policies: You can install additional SELinux policy packages if needed.
sudo dnf install selinux-policy-devel
Managing SELinux Booleans: Booleans allow you to modify the behavior of SELinux policies without changing the policies themselves.
sudo semanage boolean -l # List all SELinux booleans
sudo setsebool httpd_can_network_connect on # Enable a specific boolean
sudo getsebool httpd_can_network_connect # Check the status of a specific boolean
Step 6: Relabeling the Filesystem
If you change the SELinux mode or make significant changes to policies, you might need to relabel the filesystem:
sudo touch /.autorelabel
sudo reboot
The system will relabel the filesystem on the next reboot, which can take some time depending on the size of the filesystem.
Step 7: Troubleshooting SELinux
Viewing Logs: SELinux logs can be found in /var/log/audit/audit.log.
sudo ausearch -m avc -ts recent
Generating Custom Policies: Use audit2allow to create custom policies based on logged denials.
sudo grep 'avc: denied' /var/log/audit/audit.log | audit2allow -M mycustompolicy
sudo semodule -i mycustompolicy.pp
Configuring SELinux for Web Servers
Configuring SELinux for a web server involves ensuring that the SELinux policies are correctly set up to allow the web server to function while still maintaining a high level of security. Below are the steps to configure SELinux for a web server like Apache (httpd) on AlmaLinux.
Verify the current status and mode of SELinux:
sestatus
Ensure that SELinux is in enforcing mode for the highest level of security:
sudo setenforce 1
Configure SELinux Booleans
SELinux uses booleans to toggle various permissions. Check the relevant SELinux booleans for Apache:
sudo getsebool -a | grep httpd
You will see a list of booleans that control different aspects of the Apache web server. Commonly used booleans for a typical web server setup include:
httpd_can_network_connect: Allows Apache to initiate network connections.
httpd_enable_homedirs: Allows Apache to serve content from users' home directories.
httpd_read_user_content: Allows Apache to read user content.
httpd_sys_script_exec_t: Allows Apache to execute CGI scripts.
Enable the necessary booleans:
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_enable_homedirs on
sudo setsebool -P httpd_read_user_content on
sudo setsebool -P httpd_sys_script_exec_t on
The -P flag ensures the changes are persistent across reboots.
Set File Contexts for Web Content
Ensure that the web content has the appropriate SELinux file contexts. The default document root for Apache is /var/www/html. Assign the correct context using semanage and restorecon:
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
sudo restorecon -Rv /var/www/html
If you are serving content from a different directory, replace /var/www/html with your directory path.
Configure Additional Directories and Permissions
If you have other directories or need to allow additional permissions, set the appropriate contexts. For example, if you have a directory for logs:
sudo semanage fcontext -a -t httpd_log_t "/var/log/httpd(/.*)?"
sudo restorecon -Rv /var/log/httpd
Testing and Troubleshooting
Test your web server to ensure it’s functioning correctly. If you encounter any permission issues, you can check the SELinux logs for more information:
sudo ausearch -m avc -ts recent
If you find any denials, you can create a custom policy to allow the necessary access:
sudo grep 'avc: denied' /var/log/audit/audit.log | audit2allow -M myhttpdpolicy
sudo semodule -i myhttpdpolicy.pp
Ensure Permissions for Scripts
If your web server runs scripts (e.g., PHP, CGI), ensure these scripts have the correct SELinux context:
sudo semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/scripts(/.*)?"
sudo restorecon -Rv /var/www/html/scripts
Example Configuration for Serving Content from a Custom Directory
If you want to serve content from a custom directory, e.g., /srv/mywebsite, follow these steps:
Create the directory and set the correct SELinux context:
sudo mkdir -p /srv/mywebsite
sudo semanage fcontext -a -t httpd_sys_content_t "/srv/mywebsite(/.*)?"
sudo restorecon -Rv /srv/mywebsite
Edit Nginx configuration file:
sudo nano /etc/nginx/nginx.conf
Change the root directive to point to your custom directory:
server {
listen 80;
server_name mywebsite.com;
root /srv/mywebsite;
location / {
try_files $uri $uri/ =404;
}
}
Restart Nginx or Apache to apply the changes:
sudo systemctl restart nginx
sudo systemctl restart httpd
By following these steps, you can effectively configure and manage SELinux on AlmaLinux, enhancing the security of your system through mandatory access controls and detailed security policies.
