Tips for SELinux

https://en.wikipedia.org/wiki/Security-Enhanced_Linux

“Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement.”

Administrators can use SELinux to restrict access to network ports (and many other resources) which are otherwise accessible via other networking tactics like firewalls.

CentOS 7 and CentOS 8 provide VM, disk, and container images where SELinux is enabled, where it is enforcing access control policies.

If an administrator has configured SELinux to deny access to the ports that are used by Syndeia, then installation and operation of Syndeia may fail when Syndeia’s several services attempt to bind to sockets or to establish connections that use the blocked ports.

All changes made to an operating system’s security policies must comply with the organization’s corporate or governmental security mandates. Intercax does not advise any user to make proscribed changes to security policies.

To determine if SELinux is installed, enabled, and enforcing access controls:

sudo sestatus

When SELinux is installed, enabled, and enforcing access controls, the output will resemble:

$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

If the SELinux Current mode is not “enforcing”, there is no need to consider the following tactics.

To determine if SELinux is allowing connections with a specific port:

sudo semanage port -l|grep 2212

When SELinux is installed, enabled, and enforcing access controls, the output will resemble:

To add an additional port to those permitted by SELinux:

Consult the SELinux documentation for details on how SELinux operates and for additional commands to reverse changes made, to make additional changes, or to disable SELinux enforcement.