Configuring SELinux

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

In this lab we will edit SELinux settings, using booleans to allow communications between services. Then we will place SELinux into enforcing mode and ensure that setting is persistent.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configuring SELinux

Introduction

The network team needs help setting up SELinux to function with their new Zabbix network monitoring application. We need configure SELinux to permit httpd to communicate with Zabbix. Then we have to put SELinux into enforcing mode so that the network team can test our settings. We need to be sure enforcing mode is persistent.

Setting Up the Environment

  1. Open your terminal application, and log in to the environment using the credentials provided on the lab instructions page. (Remember to replace <PUBLIC_IP_ADDRESS> with the actual public IP address.)

    ssh cloud_user@<PUBLIC_IP_ADDRESS>
  2. Type yes at the prompt.

  3. Enter your password at the prompt.

  4. Become root (by executing su -).

Permit httpd to Communicate with Zabbix

  1. Find the necessary boolean to permit httpd to communicate with Zabbix

    [root@host]# getsebool -a | grep zabbix

    We'll see the boolean is off

  2. Set the boolean to "on"

    [root@host]# setsebool -P httpd_can_connect_zabbix on
  3. Verify that change took effect

    [root@host]# getsebool -a | grep zabbix

    Now we'll see that the boolean is on.

Put SELinux into enforcing Mode and Ensure That the Setting Is Persistent

  1. Check the SELinux state

    [root@host]# getenforce

    This will show that it is in permissive mode, so we need to change it to enforcing mode.

  2. Put SELinux into enforcing mode

    [root@host]# setenforce 1
  3. Check to make sure SELinux is now in enforcing mode

    [root@host]# getenforce

    We can see our change worked and SELinux is now in enforcing mode.

  4. Ensure SELinux boots into enforcing mode

    Edit the SELinux configuration file:

    [root@host]# vi /etc/selinux/config

    Type i to enter Insert mode, arrow down to the SELINUX line, and set it to enforcing:

    SELINUX=enforcing

    Type Esc, then :wq to exit. When the server boots again, SELinux will remain in enforcing mode.

Conclusion

Congratulations, you've successfully completed this hands-on lab!