How to Install SELinux on Ubuntu 22.04

Introduction

Before we begin talking about how to install SELinux on Ubuntu 22.04, let's briefly understand – What is SELinux?

SELinux stands for Security-Enhanced Linux. It's a security feature in many Linux distributions. SELinux acts as an extra layer of security, protecting systems from potential security threats. This access control mechanism regulates which processes can access specific resources on the system.

SELinux can prevent unauthorized activities and enhance the overall security posture of the system. Gaining an understanding of SELinux can help protect your system from potential threats.

In this tutorial, you will install SELinux on Ubuntu 22.04. We will also address a few FAQs on how to install SELinux on Ubuntu 22.04.

Advantages of SELinux

1. Enhanced Security: SELinux bolsters system security by enforcing access controls and preventing unauthorized actions.
2. Fine-Grained Control: Allows precise permission settings for applications and users, limiting potential security vulnerabilities.
3. Policy Flexibility: Adaptable policy configurations cater to diverse system requirements.
4. Isolation Capabilities: Shields critical resources, mitigating the impact of security breaches.
5. Audit Capabilities: Facilitates monitoring and tracking of system activities for improved security management.

Install SELinux on Ubuntu via APT

Disable AppArmor on Ubuntu

As using SELinux and AppArmor simultaneously can lead to conflicts, make sure they are compatible by checking if AppArmor is active at the moment. Find out AppArmor's current state using:

sudo systemctl status apparmor

Disable AppArmor if it is running in order to avoid interfering with SELinux. Run the subsequent command to turn off AppArmor:

sudo systemctl disable apparmor --now

Install SELinux on Ubuntu via APT Command

Installing policycoreutils, selinux-utils, and selinux-basics are the three essential SELinux packages at this step. These are necessary for foundational SELinux support and for managing SELinux policies.

Use this command to start the installation process:

sudo apt install policycoreutils selinux-utils selinux-basics

By running this, your Ubuntu system will install the necessary SELinux packages.

Activate SELinux on Ubuntu

To guarantee that SELinux loads at startup, activate it after installing the required packages. Enabling the security features of SELinux requires this activation. Execute the subsequent command with root access rights:

sudo selinux-activate

By completing this step, you set up your system to boot into SELinux initialization mode.

Enforce SELinux Mode

It is essential to set SELinux to its enforcing mode. SELinux actively enforces its security policies in this mode, preventing access according to preset guidelines. Use this to enter enforcement mode:

sudo selinux-config-enforcing

By taking this action, you can force SELinux to run in enforcement mode.

System Reboot for SELinux Activation

To complete the setup, restart your computer. This guarantees that all modifications take effect and that SELinux starts in the specified mode:

sudo reboot

Your system will boot up again with SELinux installed, enabled, and set up to enforce its security settings. You can further customize SELinux to meet your unique security requirements by following the instructions in the following sections.

Configure SELinux on Ubuntu

Understanding SELinux Modes

SELinux operates in three separate modes:

• Enforcing Mode: SELinux's default setting in which it strictly enforces security policies, preventing access in accordance with the set rules.
• Permissive Mode: SELinux keeps track of policy infractions but does not take proactive measures to enforce them. This mode helps with policy testing and troubleshooting.
• Disabled Mode: In this mode, no policies are applied and SELinux is fully disabled.

Edit the SELinux Configuration File

Edit the /etc/selinux/config file to customize SELinux settings. For this task, use your favorite text editor, such as nano:

sudo nano /etc/selinux/config

To select your preferred mode, edit the SELINUX line inside the file. To activate the enforcing mode, for instance:

SELINUX=enforcing

Applying the Configuration Changes

Restarting your system allows the changes to take effect:

sudo reboot

Customizing Additional SELinux Configuration Options

SELinux provides a number of customization choices:

• SETLOCALDEFS: Decides how locally defined file contexts are used. Set this to 0 to use default contexts. Make the necessary changes to the /etc/selinux/config file:

SETLOCALDEFS=0

• SELINUXTYPE: Determines the type of policy. "Targeted" policies are frequently used to safeguard particular system services. Update the SELINUXTYPE line in the configuration file to set this:

SELINUXTYPE=targeted

Example: Configuring SELinux for a Web Server

Take into consideration setting up SELinux on an Ubuntu web server to permit HTTP and HTTPS traffic. Policy management is accomplished with the semanage command.

Install the semanage utility first:

sudo apt install policycoreutils-python-utils

Next, open port 80 to HTTP traffic:

sudo semanage port -a -t http_port_t -p tcp 80

And HTTPS traffic on port 443:

sudo semanage port -a -t http_port_t -p tcp 443

By enabling your web server to accept incoming connections on ports 80 (HTTP) and 443 (HTTPS), these commands will update the SELinux policy and guarantee the safe operation of your web services.

Verifying SELinux Mode on Ubuntu

Checking SELinux Status Post-Reboot

It's important to verify SELinux's operational state after restarting your Ubuntu system. This check makes sure that the SELinux configuration settings are applied correctly by the system.

To see the current status, run the following command:

sestatus

This command offers extensive information about SELinux, such as the policy being used, the mode it is operating in (enforcing, permissive, or disabled), and its current operational status. Verify that SELinux is operating as intended by comparing this output with the settings in the /etc/selinux/config file.

Troubleshooting Common SELinux Issues on Ubuntu

Restoring Default File Contexts

SELinux frequently issues access denials due to incorrect file contexts, which impairs the functionality of applications. Use the restorecon command to fix this. For example, to fix problems in the /var/www/html directory, run:

sudo restorecon -Rv /var/www/html

With verbose output outlining the modifications, this command recursively restores the default context for all files and directories inside /var/www/html.

Temporarily Switching to Permissive Mode for Troubleshooting

Can't decide if SELinux is the root of the problem? To diagnose, temporarily switch to permissive mode. This mode records infractions but does not apply penalties. Turn on the permissive mode using:

sudo setenforce 0

Now go ahead and test your application. If issues stop, they are probably caused by SELinux policies. Don't forget to switch back to enforcement mode after testing:

sudo setenforce 1

Reviewing SELinux Logs for Issue Diagnosis

Logs from SELinux are essential for locating policy infractions. The main SELinux log on Ubuntu is located at /var/log/audit/audit.log. Use this to see recent entries:

sudo tail /var/log/audit/audit.log

Look for the terms "denied" or "AVC" in the logs to identify any possible infractions.

Generating Custom Policy Modules with audit2allow

Having issues with policies? To create a custom policy module and analyze audit logs, use audit2allow. As an example:

sudo grep 'denied' /var/log/audit/audit.log | audit2allow -M mycustommodule
sudo semodule -i mycustommodule.pp

The first command uses the audit log's "denied" entries to create a policy called "mycustommodule." Installing this policy in the second step might fix the issue.

Managing SELinux Booleans

Certain functionalities are controlled by SELinux Booleans. Use to get a list of all Booleans and their states:

sudo getsebool -a

To set a Boolean value, for example, httpd_can_network_connect enabled, run:

sudo setsebool -P httpd_can_network_connect 1

Restart-proof persistence is ensured by the -P flag.

Configuring SELinux for Web Applications: Allowing HTTP and HTTPS Traffic

It's essential to open the required network ports in SELinux for web applications like WordPress. Turn on HTTP port 80 and HTTPS port 443 using:

sudo semanage port -a -t http_port_t -p tcp 80
sudo semanage port -a -t http_port_t -p tcp 443

SELinux Configuration for WordPress

Modify SELinux policies to enable WordPress to run without a hitch:

• Network Connections for HTTPD Scripts and Modules: Turn this on for updates to plugins and themes:

sudo setsebool -P httpd_can_network_connect 1

• Read and Write Access in WordPress Directory: Make that WordPress files can be interacted with by HTTPD:

sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/wp-content
sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/wp-config.php

Additional Troubleshooting SELinux Configuration Options

To meet different software needs, modify SELinux:

• Access to Custom Directories: For custom web directories, such as /opt/myapp, change the file contexts:

sudo chcon -R -t httpd_sys_content_t /opt/myapp

• FTP Access for Web Server: Enable FTP access if required:

sudo setsebool -P allow_ftpd_full_access 1

• Web Server Email Functionality: If sending emails is a requirement for your application:

sudo setsebool -P httpd_can_sendmail 1

These setups show how adaptable SELinux is to meeting various operational and security requirements.

FAQs to Install SELinux on Ubuntu 22.04

Conclusion

We hope this tutorial helped you understand how to install SELinux on Ubuntu 22.04.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.