SE Linux on Ubuntu Server 20.04: How to install and configure for security
Many administrators prefer to install SE Linux on their server, since it allows them to harden their security and improve the overall security posture of their Linux server. To help you set up SE Linux on your Ubuntu Server 20.04, we have created this guide that will walk you through the basic steps required to successfully install and configure SE Linux on your server, as well as some tips for troubleshooting potential issues that may arise during the installation process.
Preparation of packages:
Let’s start with updating our system and installing SE Linux. Run the following commands in Terminal: sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install se Linux && sudo reboot
Now that we have updated, installed, and rebooted our system, let’s go ahead and make sure that everything is configured correctly by checking /etc/selinux/config
Test with ps aux:
PS aux looks complicated at first glance, but it’s not too difficult to read with a little practice. The first column represents the process ID (PID) and can be used in the ps aux command; the second column shows the program that is running, followed by its current working directory (CWD). The fifth column of output tells whether SE Linux is enforcing or permissive mode.
Test with get en force:
To ensure that the process of setting up SE Linux was as simple as possible, two different installation options were created. The first method is based on installing Ubuntu from the CD without SE Linux support. This method should be used if the user has never installed an operating system before and is not familiar with GParted or fdisk commands. The second method is based on creating a new operating system partition with GParted or fdisk commands, which should be used if the user has already installed an operating system before (such as Ubuntu 18.04).
Test with status:
There are several ways to check your status with SELinux, but the easiest way is sestatus. Run this command in a terminal window and look at the label line – if it says Enforcing then your system is running SE Linux with enforcing type policy. You can get more information about what you currently have from looking at the different categories of states given by Sestatus- mostly likely permissive, disabled, or enforcing (not shown). The best way to find out whether something specific is enforced is to try an operation that would require SELinux and see what happens. For example, try turning off the firewall like so:
If an error occurs when trying to turn off the firewall with commands like systemctl stop firewalld && service firewalld stop it may be because there’s a dependency needed that requires enforcement of SELinux rules. If there was no error, then everything should work just fine as long as other packages don’t also need enforcement requirements before they’ll work correctly.
Configure firewall to use iptables rules automatically (Recommended):
When you enable a firewall, it is often necessary to have the rules loaded at boot time so that the server can start correctly with default settings. To automatically load the firewall rules when starting your server, edit the /etc/rc.local file by adding these commands after the exit line before running shutdown commands that run various daemons or programs like telnetd:
iptables-restore < /etc/iptables/rules.v4
service iptables save
Test with id, whoami, and grep:
The first step to installing SELinux is updating the packages. Enter sudo apt-get update and enter a password when prompted if necessary, then enter sudo apt-get upgrade. Next, use yum -y install setroubleshoot-server setools selinux-policy.
Once you have installed SELinux, it is important to turn it on using setenforce 1. As with any new configuration file change, it is best to reboot your server for the changes to take effect. When ready, use service sshd restart or service httpd restart from root’s terminal to properly reload the services. If things are not working correctly or you see the following message in your logs