By default, Ubuntu uses AppArmor, another Mandatory Access Control system. To make your Linux system more secure, you can make use of SELinux instead. Let’s see how you can install and configure SELinux on Ubuntu using a few basic Linux commands.
What Is SELinux?
Security-Enhanced Linux (SELinux) is a Linux kernel security module that offers a mechanism to support access control security policies, including Mandatory Access Controls (MAC).
SELinux is a security enhancement for Linux that includes modifications to the kernel and user tools. It separates the implementation of security decisions from the security policy and simplifies the process of enforcing policy.
How to Install SELinux on Ubuntu
Here are the steps to install SELinux on an Ubuntu machine:
Step 1: Update and Upgrade Ubuntu
Before you begin to install SELinux, update and upgrade your system so that you can install new applications smoothly without running into any trouble with broken or outdated packages.
To update and upgrade Ubuntu, open the terminal by pressing Ctrl + Alt + T, and run:
Step 2: Stop and Remove AppArmor on Ubuntu
Another thing you need to do before installing SELinux is either disable AppArmor or remove it completely.
To disable AppArmor, first, stop the service using the systemctl utility:
Once you’ve stopped the service, verify its status with:
Now you can easily disable AppArmor by running:
It’s fine if you only want to disable the service and not remove it. However, if you want to remove it as well, execute:
For the changes to take effect, reboot your Ubuntu machine:
Step 3: Install SELinux on Ubuntu
Before installing SELinux, you must know that its installation involves a risk. The service can leave your system unstable, so make sure to back up your system before proceeding with it.
If you are using a virtual environment, take a snapshot of the Ubuntu virtual machine (VM) before making any changes to your system.
To install SELinux and its essential dependencies on Ubuntu, run:
After installing SELinux and its dependencies, activate the service using:
Step 4: Set SELinux Modes on Ubuntu
There are four different modes available in SELinux:
Disable mode Enable mode Permissive mode Enforcing mode
The first mode, disable, tells by its name what purpose it serves. If you have set the SELinux mode to disable, this means the service is not active on your system. On the other hand, the enable mode is the opposite, meaning the SELinux service is running on your system.
When the SELinux mode is set to enable, you can use permissive or enforcing mode. You should use the permissive mode when you only need to monitor the interactions. But if you want to filter as well as monitor interactions, make use of the enforcing mode.
To set the SELinux mode to enforcing, execute:
You can also use this command instead to set the mode to enforcing:
To update the changes, reboot your system:
After the system reboots, check the status of SELinux to make sure it has been enabled:
If you want to set the mode to permissive, use:
After changing the mode, you should always reboot.
Use either of the two commands to check the status of the service and verify the changes you just made:
The getenforce command only prints the current mode on the terminal. However, the setstatus command gives more details on the mode that is currently set on your system.
You can also check the current modes by accessing the /etc/sysconfig/selinux file.
The permissive mode is more flexible compared to enforcing. This mode doesn’t block all requests and keeps a log file to store an event if there is a rule violation.
Accessing the SELinux Log File on Ubuntu
You will find SELinux logs in the audit.log file stored in the /var/log/audit directory.
To view SELinux logs, run:
How to Disable SELinux on Ubuntu
Let’s now explore how to remove or disable SELinux on Ubuntu. There are two methods you can use to do so:
1. Temporarily Disable SELinux
When you temporarily disable SELinux, you immediately stop its enforcement and continue with SELinux in an inactive state until the next system reboot. After the reboot, SELinux will return to enforcement.
To temporarily disable SELinux, first, you need to become a root user:
Now disable SELinux with:
You can also use the setenforce tool instead to disable SELinux for the current session:
2. Permanently Disable SELinux
You can also permanently disable SELinux using its configuration file so it doesn’t return to enforcement after every reboot.
To disable SELinux, open the configuration file located in the /etc/selinux/config directory:
Look for the line “SELINUX=enforcing” in the file contents and change it to “SELinux=disabled”.
Once done, save and exit the file by pressing Ctrl + X, then Y, and hit Enter.
How to Uninstall SELinux on Ubuntu
If you no longer want to use SELinux and need to remove it because of instability issues, run:
The above-stated command will completely remove SELinux and its dependencies from your system.
Add Additional Security to Linux Using SELinux
SELinux can provide extra protection by limiting the spread of a security breach. Additionally, it can secure web servers based on the SELinux mode you selected. You can either set the mode to permissive or enforcing.
Besides that, there are other measures you can take to keep your Linux system secure such as using strong passwords. You can ask your Linux machine to generate strong passwords for you by using multiple command-line tools such as apg, gpg, pwgen, etc.