đź“™
Sahil’s Notes
AboutContact
SELinux Notes
SELinux Notes

SELinux Notes

Author
Sahil Kokamkar
Tags
Linux
Security
Published
June 12, 2021
đź’ˇ
The old content of this page has been remove and will be updated with new one

/etc/pam.conf

The /etc/pam.conf file is the PAM configuration file. It determines the authentication services to be used and the order in which they are used. This file can be edited to select authentication mechanisms for each system entry application.
For example: It can be used to enable extra 2FA auth

faillock / tally2

Banner /etc/issue

It’s for MOTD
FreeIPA
Integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others. Built on top of well known Open Source components and standard protocols Strong focus on ease of management and automation of installation and configuration tasks.
FreeIPA
https://www.freeipa.org/page/Main_Page
FreeIPA

SELinux Modes

SELinux offers three distinct modes:
  • Enforcing mode: This is the default mode. In this mode, any attempt to violate the security policy will be blocked and reported.
  • Permissive mode: This mode will not block any security policy violations, however it will log any violations that are attempted. This mode is useful in debugging because it allows you to see what would happen if the system were in enforcing mode.
  • Disabled mode: In this mode, the SELinux security policy is completely disabled. This mode is used when you do not want any security policy enforced.

SELinux Types

SELinux offers four distinct types:
  • Targeted: This type is the default type for most users. It provides targeted protection against malicious actions.
  • Strict: This type provides a very strict security policy, which will block any action not explicitly allowed.
  • MCS: This type provides an additional layer of security by allowing you to assign different security levels to different processes.

Types

Users

Roles

Objects

Subjects

setsebool(8) - Linux manual page
This page is part of the selinux (Security-Enhanced Linux user- space libraries and tools) project. Information about the project can be found at ⟨ https://github.com/SELinuxProject/selinux/wiki⟩. If you have a bug report for this manual page, see ⟨ https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This page was obtained from the project's upstream Git repository ⟨ https://github.com/SELinuxProject/selinux⟩ on 2022-12-17.
https://man7.org/linux/man-pages/man8/setsebool.8.html
setsebool(8) - Linux manual page
chcon(1) - Linux manual page
This page is part of the coreutils (basic file, shell and text manipulation utilities) project. Information about the project can be found at ⟨ http://www.gnu.org/software/coreutils/⟩. If you have a bug report for this manual page, see ⟨ http://www.gnu.org/software/coreutils/⟩. This page was obtained from the tarball coreutils-9.1.tar.xz fetched from ⟨ http://ftp.gnu.org/gnu/coreutils/⟩ on 2022-12-17.
https://man7.org/linux/man-pages/man1/chcon.1.html
chcon(1) - Linux manual page

AppArmor Linux

AppArmor is a Mandatory Access Control (MAC) system for Linux that provides fine-grained control over processes and system resources. AppArmor is similar to SELinux, and allows you to define policies for applications and services that specify what system resources they can access. It can also be used to enforce a range of security policies, including mandatory authentication, to protect against malicious or unauthorized access. AppArmor can be used to protect system services, applications, and user data, and can be used to secure servers and workstations. Additionally, AppArmor also provides a range of security policies, such as role-based access control, that can be used to further restrict access to sensitive data.