Skip to main content

Configuring SELinux

SELinux is a security framework which some distributions of Linux come with - notably Redhat Linux. There are different opinions within the Linux administration community as to whether SELinux is worth the effort or not.

We certainly were surprised the first time we encountered this while installing Iguana on Redhat linux. How do you know if you need to configure SELinux for your linux server?

Typically problems manifest with Iguana not being able to be started as a systemd service.

The first thing is you can run this command to see if SELinux is running on your system:

getenforce

It should return either Enforcing, Permissive, or Disabled. For adjusting policies, it's helpful to have it in Permissive mode so you can collect all necessary logs without it blocking anything.

You can switch to permissive mode to allow actions but log denials using:

sudo setenforce 0

After running this command you probably will be able to start Iguana using:

sudo ./iguana --service start

You can see if Iguana is running by using:

sudo ./iguana --service status

The if Iguana can is running you can either figure out how to connect your browser or if it is important to your organization to use SELinux, read to figure out how to configure SELinux to allow Iguana to run.

Configuring SELinux

SELinux typically logs to /var/log/audit/audit.log which is where you can see if your SELinux rules are working. This requires root access so if you want to look at this file you will do something like:

sudo vi /var/log/audit/audit.log

Create iguana.te file

To you want to re-enable SElinux then you'll to create a SELinux policy that will allow you to run Iguana then create a file called iguana.te in your home folder or another convenient place with this content:

module iguana 1.0;   
   
require {   
        type init_t;   
        type http_port_t;   
        type user_home_t;   
        type sudo_exec_t;   
        class file { append create execute execute_no_trans ioctl map open read write };   
        class tcp_socket name_connect;   
}   
   
#============= init_t ==============   
   
#!!!! This avc can be allowed using the boolean 'nis_enabled'   
allow init_t http_port_t:tcp_socket name_connect;   
allow init_t sudo_exec_t:file { execute execute_no_trans open read };   
   
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'   
allow init_t sudo_exec_t:file map;   
allow init_t user_home_t:file { append create execute execute_no_trans ioctl open read write };   
   
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'   
allow init_t user_home_t:file map;

The file needs to compiled and registered. The following commands will do it:

checkmodule -M -m -o iguana.mod iguana.te

Then:

semodule_package -o iguana.pp -m iguana.mod

Then:

sudo semodule -i iguana.pp

After that you can switch SELinux back on with:

sudo setenforce 1

How do you test if you were successful? Try restarting the service and seeing if it is working with these commands:

./iguana --service restart

And then:

./iguana --service status

We are not sure how many of our customers choose to run SELinux but we open to having a dialog and helping you configure this with your Linux distribution.