How To Enable SELinux In CentOS/RHEL 7?

SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security mechanism that provides an additional layer of security to the Linux kernel. By default, SELinux is enabled in CentOS/RHEL 7, but it runs in permissive mode, which means it logs security violations without blocking them.

What is SELinux?

SELinux is a security module developed by the NSA in partnership with Red Hat that enforces policies governing what actions processes and users can perform on the system. It uses predefined labels assigned to resources such as files, directories, sockets, and devices to define security contexts and control access.

How SELinux Works

SELinux operates by enforcing policies based on security contexts and labels. The system uses kernel-level controls combined with user-space tools like setroubleshootd and auditd to monitor and control access to system resources. This creates fine-grained control over what resources processes can access and what actions they can perform.

Benefits of Using SELinux

• Enhanced Security Implements mandatory access controls at both kernel and user levels, providing stronger protection than traditional discretionary access controls.

• Process Isolation Restricts processes to access only specific resources, reducing the risk of unauthorized access by malicious software.

• Improved Auditing Generates detailed logs for tracking suspicious activities, providing better visibility and accountability.

• Attack Mitigation Helps prevent privilege escalation and limits the impact of compromised applications.

Checking Current SELinux Status

Before enabling SELinux, check its current status using the getenforce command:

getenforce

The command returns one of three possible states:

• Enforcing SELinux actively blocks unauthorized access and enforces policies.

• Permissive SELinux logs violations but allows all actions to proceed.

• Disabled SELinux is completely turned off.

Enabling SELinux in CentOS/RHEL 7

Step 1: Edit the SELinux Configuration File

Open the SELinux configuration file using a text editor:

sudo vi /etc/selinux/config

The file contains the following structure:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - No SELinux policy is loaded.
SELINUX=permissive

Step 2: Change SELINUX Value to Enforcing

Modify the SELINUX parameter to enable enforcing mode:

SELINUX=enforcing

Save the changes and exit the editor (:wq in vi).

Step 3: Reboot the System

Changes to the SELinux configuration file require a system reboot to take effect:

sudo reboot

Verifying SELinux Status

After rebooting, verify that SELinux is running in enforcing mode:

getenforce

You can also check detailed SELinux status using:

sestatus

This command provides comprehensive information about SELinux mode, policy, and configuration.

Troubleshooting Common Issues

If services fail after enabling SELinux, check the audit logs for policy violations:

sudo tail -f /var/log/audit/audit.log

Use systemctl to verify that all services are running properly:

systemctl status <service_name>

For services that encounter SELinux-related issues, you may need to install additional policy modules or configure custom contexts.

Conclusion

Enabling SELinux in enforcing mode provides robust security for CentOS/RHEL 7 systems through mandatory access controls and policy enforcement. While it requires careful configuration and monitoring, SELinux significantly enhances system security by isolating processes and preventing unauthorized access to critical resources.