How to Install SELinux on Ubuntu 24.04/22.04/20.04

Security-Enhanced Linux (SELinux) is essential for managing access control security policies on Linux systems. Primarily used by system administrators, developers, and security professionals, SELinux offers robust security at the kernel level. Its implementation on Ubuntu servers, particularly for the 24.04, 22.04, and 20.04 LTS releases, strengthens the security of these systems.

Key features of SELinux that enhance the security of an Ubuntu include:

• Mandatory Access Control (MAC): Unlike traditional discretionary access control systems, SELinux enforces strict policy rules that limit system processes and users, mitigating the risk of unauthorized access.
• Fine-grained Control: It provides detailed control over system processes and their interactions with files and other resources.
• Enhanced Security Policies: Tailored security policies help safeguard against external and internal threats.
• Audit and Logging: Comprehensive logging capabilities facilitate monitoring and tracing security-related events, aiding in prompt issue identification and resolution.

Integrating SELinux into an Ubuntu server environment, especially for those managing critical applications or sensitive data, significantly enhances system security. This guide, focusing on the installation and basic usage of SELinux, aims to provide a straightforward approach to leveraging these security benefits.

Disable AppArmor Service

To ensure compatibility, confirm if AppArmor is active, as running AppArmor and SELinux together can cause conflicts. Determine AppArmor’s status with:

sudo systemctl status apparmor

If AppArmor is operational, disable it to prevent any interference with SELinux. Execute the following command to deactivate AppArmor:

sudo systemctl disable apparmor --now

Install SELinux via APT Command

This stage involves installing key SELinux packages: policycoreutils, selinux-utils, and selinux-basics. These are essential for managing SELinux policies and providing foundational SELinux support.

Initiate the installation with this command:

sudo apt install policycoreutils selinux-utils selinux-basics

Executing this will install the required SELinux packages on your Ubuntu system.

Activate SELinux

After installing the necessary packages, activate SELinux to ensure it loads at startup. This activation is critical for enabling SELinux’s security features. Run the following command with root privileges:

sudo selinux-activate

This step configures your system to initialize SELinux during the boot process.

Enforce SELinux Mode

Setting SELinux to its enforcing mode is crucial. In this mode, SELinux actively applies its security policies, denying access based on predefined rules. Switch to enforcing mode using:

sudo selinux-config-enforcing

This action modifies your SELinux configuration to operate in enforcing mode.

System Reboot for SELinux Activation

Finalize the setup process by rebooting your system. This ensures all changes are applied, and SELinux begins operating in the set mode:

sudo reboot

Post-reboot, your system will run with SELinux installed, activated, and configured to enforce its security policies. The following sections will guide you in further customizing SELinux to suit your security needs.

Configure SELinux

Understanding SELinux Modes

SELinux functions in three distinct modes:

• Enforcing Mode: The default setting, where SELinux rigorously enforces its security policies, denying access as per the established rules.
• Permissive Mode: Here, SELinux logs policy violations but does not actively enforce them. This mode is useful for testing and troubleshooting policies.
• Disabled Mode: In this mode, SELinux is completely turned off, with no policies being applied.

Edit the SELinux Configuration File

To tailor SELinux settings, edit the /etc/selinux/config file. Use a preferred text editor, like nano, for this task:

sudo nano /etc/selinux/config

Inside the file, modify the SELINUX line to set your preferred mode. For example, to enable enforcing mode:

SELINUX=enforcing

Applying the Configuration Changes

For the changes to take effect, reboot your system:

sudo reboot

Customizing Additional SELinux Configuration Options

SELinux offers several customization options:

• SETLOCALDEFS: Determines the use of locally defined file contexts. To use default contexts, set this to 0. Modify the /etc/selinux/config file accordingly:

SETLOCALDEFS=0

• SELINUXTYPE: Sets the policy type. The common policy type “targeted” focuses on protecting specific system services. To set this, update the SELINUXTYPE line in the configuration file:

SELINUXTYPE=targeted

Example: Configuring SELinux for a Web Server

Consider configuring SELinux to allow HTTP and HTTPS traffic on a Ubuntu web server. The semanage command is used for policy management.

First, install the semanage utility:

sudo apt install policycoreutils-python-utils

Then, permit HTTP traffic on port 80:

sudo semanage port -a -t http_port_t -p tcp 80

And HTTPS traffic on port 443:

sudo semanage port -a -t http_port_t -p tcp 443

These commands will update the SELinux policy, allowing your web server to receive incoming connections on ports 80 (HTTP) and 443 (HTTPS), ensuring secure web service operation.

Verifying SELinux Mode

Checking SELinux Status Post-Reboot

After rebooting your Ubuntu system, it’s crucial to confirm the operational status of SELinux. This verification ensures that the system correctly applies the SELinux configuration settings.

Execute the following command to check the current status:

sestatus

This command provides comprehensive details about SELinux, including its current operational status, the mode it is running in (enforcing, permissive, or disabled), and the policy being used. Cross-reference this output with your settings in the /etc/selinux/config file to confirm that SELinux is functioning as intended.

Troubleshooting Common SELinux Issues

Restoring Default File Contexts

Incorrect file contexts often lead to access denials by SELinux, disrupting application functionality. To rectify this, use the restorecon command. For instance, to address issues in the /var/www/html directory, execute:

sudo restorecon -Rv /var/www/html

This command recursively restores the default context for all files and directories within /var/www/html, with verbose output detailing the changes.

Temporarily Switching to Permissive Mode for Troubleshooting

Unsure if SELinux is causing a specific issue? Temporarily switch to permissive mode to diagnose. This mode logs violations without enforcing them. Activate permissive mode with:

sudo setenforce 0

Test your application now. If issues cease, they likely stem from SELinux policies. Remember to revert to enforcing mode post-testing:

sudo setenforce 1

Reviewing SELinux Logs for Issue Diagnosis

SELinux logs are vital for identifying policy violations. On Ubuntu, the primary SELinux log is /var/log/audit/audit.log. To view recent entries, use:

sudo tail /var/log/audit/audit.log

Search for “denied” or “AVC” in the logs to pinpoint potential violations.

Generating Custom Policy Modules with audit2allow

Encountering policy-related issues? Utilize audit2allow to analyze audit logs and create a custom policy module. For example:

sudo grep 'denied' /var/log/audit/audit.log | audit2allow -M mycustommodule
sudo semodule -i mycustommodule.pp

The first command generates a policy named “mycustommodule” from “denied” entries in the audit log. The second installs this policy, potentially resolving the issue.

Managing SELinux Booleans

SELinux Booleans control specific functionalities. To list all Booleans and their states, use:

sudo getsebool -a

To modify a Boolean, such as enabling httpd_can_network_connect, execute:

sudo setsebool -P httpd_can_network_connect 1

The -P flag ensures persistence across reboots.

Configuring SELinux for Web Applications: Allowing HTTP and HTTPS Traffic

For web applications like WordPress, opening necessary network ports in SELinux is crucial. Enable ports 80 (HTTP) and 443 (HTTPS) with:

sudo semanage port -a -t http_port_t -p tcp 80
sudo semanage port -a -t http_port_t -p tcp 443

SELinux Configuration for WordPress

Adjust SELinux policies for seamless WordPress operation:

• Network Connections for HTTPD Scripts and Modules: Enable this for plugin and theme updates:

sudo setsebool -P httpd_can_network_connect 1

• Read and Write Access in WordPress Directory: Ensure HTTPD can interact with WordPress files:

sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/wp-content
sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/wp-config.php

Additional Troubleshooting SELinux Configuration Options

Customize SELinux for various software requirements:

• Access to Custom Directories: Modify file contexts for custom web directories, e.g., /opt/myapp:

sudo chcon -R -t httpd_sys_content_t /opt/myapp

• FTP Access for Web Server: Enable FTP access if required:

sudo setsebool -P allow_ftpd_full_access 1

• Web Server Email Functionality: If your application needs email-sending capabilities:

sudo setsebool -P httpd_can_sendmail 1

These configurations illustrate the flexibility of SELinux in catering to specific security and operational needs.

Conclusion

That’s a wrap on our guide for installing SELinux on Ubuntu 24.04, 22.04, or 20.04. We’ve walked through the installation process, covered some basic commands, and explored a few key configuration tips. Remember, regular updates and continuous monitoring are crucial to maintain your system’s security. Feel free to experiment with SELinux policies to better suit your server’s needs, but always back up your configurations before making changes.