SELinux is a Linux kernel security module. SELinux, or the Security Enhanced Linux, is a way to improve the security of Linux-based operating distros, being deployed as a Linux Security Module.
SELinux is based on the Mandatory Access Control (MAC) technique that allows the implementation of a wide variety of security policies. In order to use this technique, the SELinux module adds a reference to the kernel of Linux, which implements the MAC.
The principle on which this technique is based is to refuse the execution of applications whose permissions are not explicitly described, so it is not clear what the effect of their execution will be.
Another advantage of SELinux is that it offers the ability to set some limits on the behavior of applications that fall under the category of potentially damaging Linux systems.
Thus, these applications can not get out of that behavioral pattern, remaining blocked and probably stopped.
On some distributions of Linux, SELinux is enabled by default. If you do not understand exactly how SELinux works, if it works, different problems may occur. In this case, until you understand exactly how to configure it and how SELinux works, it’s best for you to disable it.
For example, you will not be able to install cPanel on a dedicated server if SELinux is enabled.
There are several ways through which you can disable SELinux:
To temporarily disable SELinux you need to modify the /selinux/enforce file.
You can also use the setenforce command to disable SELinux. The command supports 3 parameters: Enforcing, Permissive, 1 (activated) or 0 (disabled).
To disable SELinux permanently, the /etc/selinux/config file must be modified and set in this file like this: SELINUX = disabled
In this file you can set the following parameters:
enforcing – Enforcement policy is always Enforced
permissive – Simulates execution policy by displaying messages, but does not actually run SELinux
disabled – Disables SELinux completely
If the /etc/selinux/config file does not exist on the dedicated server, SELinux can be disabled by using a parameter in the boot menu of the GRUB boot loader.
If you do not want to disable SELinux globally on the server, you can still disable it only for a particular service running on the server, for example, for the apache web server: you have to change the /etc/selinux/targeted/booleans file.
SELinux can be completely disabled or run in passive or active mode. So before we start using SELinux, we need to understand these 3 ways of working:
In the disabled mode, SELinux will be disabled, will be off. This means that no Linux object is labeled, ie it does not have a security context attached, with no SELinux security policy applied. In this situation, the security layers are DAC type only.
In the permissive/passive mode, labels are applied to all Linux objects that are permissive, and a particular policy type is used. It should be noted that in this mode, only the monitoring and logging of security breaches in log files is executed, and no access to the interaction of one Linux object with another is applied.
When the log file is located at /var/log/audit/audit.log then SELinux is just an observer without blocking anything. In the above mentioned log file we should see what could have blocked SELinux if it had been activated.
In the active (enforcing) mode, SELinux does everything I’ve mentioned in permissive work and, in addition, actively blocks access to certain Linux objects when it detects a security breach.