Sign In
Sign In

How to Install SELinux on Ubuntu 22.04

How to Install SELinux on Ubuntu 22.04
JC Brian Refugia
Technical writer
Ubuntu
24.05.2024
Reading time: 5 min

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a way to handle access control security policies and it is used as a security enhancement for Linux. Linux-based security-sensitive projects mostly rely on it. Ubuntu 22.04 is compatible with SELinux. 

AppArmor is a significant security component that comes installed by default in Ubuntu 22.04. However, because AppArmor works by first granting access and then imposing restrictions, administrators prefer to use SELinux as a security mechanism because it limits access to all apps by default and only grants access to users based on policies and security contexts. SELinux also uses labels to define a security context for various processes and resources. Once an access request is submitted, SELinux compares the labels against a set of policies to determine whether to approve or refuse the request.  It is always up to the administrator to choose whether to use AppArmor or SELinux. It is still depending on the requirements of the application or process.  In this topic, SELinux will be installed and AppArmor will be disabled. 

Prerequisites

To follow this guide, you will need:

  • A cloud server running Ubuntu 22.04.

  • A non-root user with sudo privileges.

You can deploy an Ubuntu server on Hostman in seconds and then enhance the system security with SELinux using this tutorial.

Preparing the Environment 

The Linux kernel includes the Linux Security Module (LSM) interface, which is implemented by both SELinux and AppArmor. This interface is currently designed to allow just one LSM to be operational at any given time. There is no way to run two simultaneously, so AppArmor needs to be stopped and disabled if it is active. Login to the terminal and check the status of AppArmor by running the command below.

systemctl status apparmor

35b3ab10 Bbdd 4849 99ef 614dbf2ad611

Stop the AppArmor process by running the command below.

sudo systemctl stop apparmor

Once the process AppArmor is stopped, proceed in disabling the process to prevent it from reactivating. Run the command below.

sudo systemctl disable apparmor

3fcbb033 Bea2 45d8 90be 9ae895dbdd5f

Verify again if the process is already stopped and disabled.

systemctl status apparmor

1b304b3d 7e0b 46b8 A45a Fc54f8f6e241

Proceed with the installation of SELinux.

Installation of SELinux

Before installing SELinux, make sure that the system is up to date. Run the command below to do this. 

sudo apt update && sudo apt upgrade -y

Install the required SELinux packages. Run the command below.

sudo apt install policycoreutils selinux-basics selinux-utils -y

Image19

Activate the SELinux by running the command below.

sudo selinux-activate

B614c462 Adef 4d68 8cc0 07af21f919fd

The activation will ask to reboot the system. Check the status of SELinux before rebooting it. Run the commands getenforce and sestatus. Both commands will show the state of SELinux; the only difference is that sestatus will provide more detailed output. Please see below.

getenforce

5a3043d7 39eb 4fee 9b04 A7a3964ec37b 

sestatus

Dcaqvebdfngt

Proceed to reboot the system. 

sudo reboot

The current session will get disconnected. Login to Hostman (the host provider) and go to the Console tab. Monitor the boot process.

Configuration of SELinux

After the server rebooted, the current SELinux mode should be permissive and the status is enabled. Verify this by running again the command below.

sestatus

2edfa0e5 0b50 4929 A44d 15b09820545c

Here are detailed explanations for each of the output lines listed above.

  • SELinux status shows if the SELinux module is activated or disabled on your system.

  • The SELinuxfs mount is a temporary filesystem mount point. SELinux uses this internally. To view the file's content, simply run the command below.

ls -l /sys/fs/selinux

Ceddc64a 76db 4856 B86b E14df5263b51 

  • The SELinux root directory contains all of the SELinux configuration files. This directory contains all of the configuration files required for SELinux functionality. These files can be modified. The default files and directories are listed below and can be viewed by using the following command.

ls -l /etc/selinux

7d4ab1b1 9741 4520 83d2 C105737e941e

  • The loaded policy name indicates the type of SELinux policy that is currently loaded. If the output of sestatus for the loaded policy name is default. Usually, it means that the SELinux policy being used is the distribution's default policy.

  • Current mode specifies whether SELinux is actively enforcing the policy or not. The possible SELinux modes are as follows:

    • enforcing. This indicates that the SELinux security policy is enforced (that is, SELinux is enabled). To change the current mode to enforcing run the command below, wherein 1 means enforcing.

sudo setenforce 1

Xdefretr

After performing any changes, always validate it by running either the command getenforce or sestatus.

getenforce

8b550382 9b15 400f 8903 96833ccf8f4f

sestatus

67c273ee 20c7 4f8a B582 1b3cda8e8eae

    • permissive. This means that SELinux warns rather than enforces. This is useful for debugging when investigating to see what SELinux might block (without actually banning it).  To change the current mode to permissive run the command below, wherein 0 means permissive.

sudo setenforce 0

F18a9015 4a0d 4bb2 832c 5f6898416d88

Verify the changes by running the command:

getenforce

Dfregrt

  • Policy MLS status denotes the current state of the MLS policy. By default, this will be enabled.

  • Policy deny_unknown status. This indicates the current status of the policy's deny_unknown flag. By default, this will be allowed.

  • Max kernel policy version specifies the current version of the SELinux policy in use. In this case, the version is 33.

Conclusion

In conclusion, while SELinux is not natively integrated into Ubuntu's security framework, it may be installed and configured to improve security on Ubuntu 22.04 computers. Users can successfully use SELinux by taking an organized approach and exploiting its strong access controls and policies to protect against unauthorized access and potential threats. The installation of SELinux on Ubuntu 22.04 is a proactive step toward improving system security, but it requires careful planning and attentive configuration, to maximize benefits and prevent potential obstacles.

Ubuntu
24.05.2024
Reading time: 5 min

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start
Email us