Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a way to handle access control security policies and it is used as a security enhancement for Linux. Linux-based security-sensitive projects mostly rely on it. Ubuntu 22.04 is compatible with SELinux.
AppArmor is a significant security component that comes installed by default in Ubuntu 22.04. However, because AppArmor works by first granting access and then imposing restrictions, administrators prefer to use SELinux as a security mechanism because it limits access to all apps by default and only grants access to users based on policies and security contexts. SELinux also uses labels to define a security context for various processes and resources. Once an access request is submitted, SELinux compares the labels against a set of policies to determine whether to approve or refuse the request. It is always up to the administrator to choose whether to use AppArmor or SELinux. It is still depending on the requirements of the application or process. In this topic, SELinux will be installed and AppArmor will be disabled.
To follow this guide, you will need:
A cloud server running Ubuntu 22.04.
A non-root user with sudo privileges.
You can deploy an Ubuntu server on Hostman in seconds and then enhance the system security with SELinux using this tutorial.
The Linux kernel includes the Linux Security Module (LSM) interface, which is implemented by both SELinux and AppArmor. This interface is currently designed to allow just one LSM to be operational at any given time. There is no way to run two simultaneously, so AppArmor needs to be stopped and disabled if it is active. Login to the terminal and check the status of AppArmor by running the command below.
systemctl status apparmor
Stop the AppArmor process by running the command below.
sudo systemctl stop apparmor
Once the process AppArmor is stopped, proceed in disabling the process to prevent it from reactivating. Run the command below.
sudo systemctl disable apparmor
Verify again if the process is already stopped and disabled.
systemctl status apparmor
Proceed with the installation of SELinux.
Before installing SELinux, make sure that the system is up to date. Run the command below to do this.
sudo apt update && sudo apt upgrade -y
Install the required SELinux packages. Run the command below.
sudo apt install policycoreutils selinux-basics selinux-utils -y
Activate the SELinux by running the command below.
sudo selinux-activate
The activation will ask to reboot the system. Check the status of SELinux before rebooting it. Run the commands getenforce
and sestatus
. Both commands will show the state of SELinux; the only difference is that sestatus
will provide more detailed output. Please see below.
getenforce
sestatus
Proceed to reboot the system.
sudo reboot
The current session will get disconnected. Login to Hostman (the host provider) and go to the Console tab. Monitor the boot process.
After the server rebooted, the current SELinux mode should be permissive and the status is enabled. Verify this by running again the command below.
sestatus
Here are detailed explanations for each of the output lines listed above.
SELinux status shows if the SELinux module is activated or disabled on your system.
The SELinuxfs mount is a temporary filesystem mount point. SELinux uses this internally. To view the file's content, simply run the command below.
ls -l /sys/fs/selinux
The SELinux root directory contains all of the SELinux configuration files. This directory contains all of the configuration files required for SELinux functionality. These files can be modified. The default files and directories are listed below and can be viewed by using the following command.
ls -l /etc/selinux
The loaded policy name indicates the type of SELinux policy that is currently loaded. If the output of sestatus
for the loaded policy name is default. Usually, it means that the SELinux policy being used is the distribution's default policy.
Current mode specifies whether SELinux is actively enforcing the policy or not. The possible SELinux modes are as follows:
enforcing
. This indicates that the SELinux security policy is enforced (that is, SELinux is enabled). To change the current mode to enforcing run the command below, wherein 1
means enforcing.
sudo setenforce 1
After performing any changes, always validate it by running either the command getenforce
or sestatus
.
getenforce
sestatus
permissive
. This means that SELinux warns rather than enforces. This is useful for debugging when investigating to see what SELinux might block (without actually banning it). To change the current mode to permissive run the command below, wherein 0
means permissive.
sudo setenforce 0
Verify the changes by running the command:
getenforce
Policy MLS status denotes the current state of the MLS policy. By default, this will be enabled.
Policy deny_unknown
status. This indicates the current status of the policy's deny_unknown
flag. By default, this will be allowed.
Max kernel policy version specifies the current version of the SELinux policy in use. In this case, the version is 33.
In conclusion, while SELinux is not natively integrated into Ubuntu's security framework, it may be installed and configured to improve security on Ubuntu 22.04 computers. Users can successfully use SELinux by taking an organized approach and exploiting its strong access controls and policies to protect against unauthorized access and potential threats. The installation of SELinux on Ubuntu 22.04 is a proactive step toward improving system security, but it requires careful planning and attentive configuration, to maximize benefits and prevent potential obstacles.