Skip to main content

How to Install and enable / disable SELinux on Ubuntu

4 minutes

Dwijadas Dey Dwijadas Dey
0

To enhance the security of your Ubuntu system, you can try out  installing SELinux which is a standard Linux based security tool. The SELinux in Ubuntu will provide you with an additional layer of protection to applications and will mitigate the security risk of the host machine. 

SELinux is a valuable tool for enhancing the security of Linux systems, especially in environments where tough access controls, isolation of processes, and safeguarding of sensitive data are paramount.

What is SELINUX

SELinux stands for Security-Enhanced Linux, is a security mechanism implemented in the Linux kernel to enforce mandatory access control (MAC) policies on Linux based systems. 

Ubuntu has its own access control system called Apparmor and is similar to SELinux in a sense to isolate applications from one another. But you might want to try out SELinux in your Ubuntu host due to varied reasons.

To install SELinux in Ubuntu, make use of the following steps to get it installed in your system. 

 

 

How to Install SELinux on Ubuntu

Update system

To start with, update and upgrade your system.

$ sudo apt update && apt upgrade

Remove AppArmor on Ubuntu

If your system is already configured with AppArmor and it is running, then either disable or remove it permanently from your system by using the following set of commands. 

$ sudo systemctl stop apparmor
$ sudo systemctl disable apparmor

However, if you want to remove AppArmor permanently from your system, execute the following command.

$ sudo apt remove apparmor -y

Install SELINUX

To install SELinux, execute the following command from the terminal.

$ sudo apt install policycoreutils selinux-basics selinux-utils -y

Enable SELinux

To enable SELinux, execute the following command from terminal.

$ sudo selinux-activate

The message from the above command will contain the following line:

SELinux is activated. You may need to reboot now.

Don't reboot the system immediately, Verify the status of SELinux from CLI, and after confirming the status of SELinux you can safely reboot the system at a later stage.

Confirm the status of SELinux:

$ getenforce
Disabled

It means SELINUX is active and you need to turn it on. 

You can also get the status of SELinux with the following command.

$ sestatus

However, the above command will provide more useful information once you enable the SELinux in your system which we will verify in the next step.

 Reboot the system and make sure the system boots in permissive mode. This ensures that the system does not fail to boot for unlabeled files needed by systemd just before starting selinux-autorelabel service. 

How to enable SELinux on Ubuntu

There are two ways to enable SElinux on Ubuntu, one is through command line interface and another is by manually updating SELinux modes in the configuration file /etc/selinux/config. Before enabling SELinux, Let's take a closer look at the SELinux attribute known as modes. SELinux operates in three modes: permissive, enforcing, and disabled.

Permissive mode: SELinux logs permission denials but doesn't enforce them. 
Enforcing mode: SELinux logs and enforces permission denials.
Disabled mode: SELinux is in disabled state.

Lets view the current mode of SELinux.

$ cat /etc/selinux/config

 

 

Now enable SELinux with  selinux-config-enforcing command:

$ sudo selinux-config-enforcing

Verify if the SELinux mode has been changed or not.

$ cat /etc/selinux/config
SELinux enforcing mode 

Verify that the output of the above command contains the following line:

SELINUX=enforcing

To manually enable/disable SELinux, edit the file /etc/selinux/config and update the mode attribute from permissive to enforcing or vice versa. 

Once you update the SELinux mode with enforcing, the system needs a reboot to apply changes. Proceed with rebooting the system.

How to Disable SELinux on Ubuntu

To disable SELinux permanently, Open the configuration file /etc/selinux/config and change the mode from permissive to disabled.

$ vi /etc/selinux/config
…
…
SELINUX=disabled
…
…

The system will need a reboot to disable SELinux and apply changes permanently.

It is also possible to turn off  SELinux temporarily(current session), and operate in the same way until it is enabled again or a reboot is done.

To turn off SELinux in Ubuntu system temporarily, use the following command. 

$ setenforce 0

Turn on SELInux again with the following command.

$ setenforce 1

How to Uninstall SELinux on Ubuntu

If you don't need SELinux in your system, uninstall it with the following command.

$ sudo apt remove policycoreutils selinux-utils selinux-basics

The above command will stop SELinux and remove it along with all dependencies from the system completely.

 

Conclusion

In this article we have seen, with a set of 10-12 commands you can easily install, enable and disable SELinux on Ubuntu. Moreover, SELinux segregates security policies and enforcement of security decisions inside the kernel, leveraging  system admins more control over security of the system.

fivestar_rating
Average: 4 (1 vote)
Related Post
How to Install PyTorch on Ubuntu How to Install PyTorch on Ubuntu
7 minutes / Aug ' 22 2024
How to install, self-host, and Integrate Jira Software and Jira Service Desk in the Cloud How to install, self-host, and Integrate Jira Software and Jira Service Desk in the Cloud
11 minutes / Aug ' 22 2024
Detect DoS attack using a custom rule file in Suricata Detect DoS attack using a custom rule file in Suricata
5 minutes / Aug ' 21 2024
How to install Yarn in Ubuntu 22/24 How to install Yarn in Ubuntu 22/24
4 minutes / Aug ' 21 2024
Comments