Configure SELinux - Part 1

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. Under SELinux, every process and every object (files, sockets, pipes) on the system is assigned a security context, a label that includes detailed type information about the object. The kernel allows processes to access objects only if that access is explicitly allowed by the policy in effect.

Three such policies have been available for use with Debian and are included with the system:

  • default
  • strict
  • mls

Ensure SELinux is enabled in the bootloader configuration

Overview

Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.

Why:

SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.

Audit:

Run the following command and verify that all linux lines include the parameters selinux=1 and security=selinux

# grep "^\s*linux" /boot/grub/grub.cfg

Fix:

run the following command to configure GRUB and PAM and to create /.autorelabel

# selinux-activate 

Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX

selinux=1 
security=selinux

example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"

Run the following command to update the grub2 configuration:

# update-grub