How to install SELinux on Linux Cloud Servers

The Security-enhanced Linux (SELinux) is a security feature of the Linux kernel comprises of security implementation which enhances Linux system security. This kernel module also defines access controls and security policies. SELinux works in the Permissive, Enforcing and Disabled modes. The default mode of SELinux is disabled. In permissive mode, SELinux will only monitor the interaction and in enforcing mode, SELinux will also filter the interaction with monitoring.

The following is a tutorial on how to enable/install SElinux in different Linux distributions.

CentOS

1. The below command will install SELinux components in CentOS.

   # yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans
   

   

2. By default SELinux status will be disabled. To check the SELinux status, run the below command.

   # sestatus
   

   

3. To configure in enforcing/permissive mode, edit the SELinux configuration file /etc/sysconfig/selinux.

   # vi /etc/sysconfig/selinux
   

   
   

   There will be a number of variables in the configuration file, the following variables need to be modified. You can add whether enforcing or permissive.

   SELINUX=permissive
   OR
   SELINUX=enforcing
   

   

   
   

   Once the changes made, reboot the server to reflect the changes. The reboot process will see all the files in the server labelled with an SELinux context. Once rebooted, the SELinux changes will be reflecting and the implementation will be fine.

Ubuntu/Debian

1. Apparmor is to be disabled and purged when it comes to installation of SELinux in Ubuntu Cloud servers. Run the below commands to do the same.

   # systemctl stop apparmor.service
   
   # apt purge apparmor
   

   

   
   

   Apparmor will be completely removed from Ubuntu VPS.

2. Now the repository needs to be updated, for that, the following commands are being used. This will update the OS components thereby performing a repo level upgradation.

   # sudo apt update && sudo apt upgrade -yuf
   

   

   
   

   During the process of installation it will prompt for the rebooting the system, this can be done by choosing OK.

   

   

3. To configure in enforcing/permissive mode after reboot, edit the SELinux configuration file in /etc/selinux/config.

   # vi /etc/selinux/config
   

   
   

   There will be a number of variables in the configuration file, the following variables need to be modified. You can add whether enforcing or permissive.

   SELINUX=permissive
   OR
   SELINUX=enforcing
   

   

   
   

   Once the changes made, reboot the server to reflect the changes. The reboot process will see all the files in the server labelled with an SELinux context. Once rebooted, the SELinux changes will be reflecting and the implementation will be fine.