Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

https://en.wikipedia.org/wiki/Security-Enhanced_Linux

“Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement.”

Administrators can use SELinux to restrict access to network ports (and many other resources) which are otherwise accessible via other networking tactics like firewalls.

CentOS 7 and CentOS 8 provide VM, disk, and container images where SELinux is enabled, where it is enforcing access control policies.

If an administrator has configured SELinux to deny access to the ports that are used by Syndeia, then installation and operation of Syndeia may fail when Syndeia’s several services attempt to bind to sockets or to establish connections that use the blocked ports.

To determine if SELinux is installed, enabled, and enforcing access controls:

sudo sestatus

When SELinux is installed, enabled, and enforcing access controls, the output will resemble:

$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

If the SELinux Current mode is not “enforcing”, there is no need to consider the following tactics.

To determine if SELinux is allowing connections with a specific port:

sudo semanage port -l|grep 2212

When SELinux is installed, enabled, and enforcing access controls, the output will resemble:

http_port_t                    tcp      2212, 80, 81, 443, 488, 8008, 8009, 8443, 9000

To add an additional port to those permitted by SELinux:

sudo semanage port -a -p tcp -t http_port_t 2212

Consult the SELinux documentation for details on how SELinux operates and for additional commands to reverse changes made, to make additional changes, or to disable SELinux enforcement.

  • No labels