You can improve the security of your Linux system by installing and implementing SELinux. This provides an extra layer of protection by isolating applications on the system and securing the host.

By default, Ubuntu uses AppArmor, another Mandatory Access Control system. To make your Linux system more secure, you can make use of SELinux instead. Let's see how you can install and configure SELinux on Ubuntu using a few basic Linux commands.

What Is SELinux?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that offers a mechanism to support access control security policies, including Mandatory Access Controls (MAC).

SELinux is a security enhancement for Linux that includes modifications to the kernel and user tools. It separates the implementation of security decisions from the security policy and simplifies the process of enforcing policy.

How to Install SELinux on Ubuntu

Here are the steps to install SELinux on an Ubuntu machine:

Step 1: Update and Upgrade Ubuntu

Before you begin to install SELinux, update and upgrade your system so that you can install new applications smoothly without running into any trouble with broken or outdated packages.

To update and upgrade Ubuntu, open the terminal by pressing Ctrl + Alt + T, and run:

        sudo apt-get update && apt-get upgrade
    

Step 2: Stop and Remove AppArmor on Ubuntu

Another thing you need to do before installing SELinux is either disable AppArmor or remove it completely.

To disable AppArmor, first, stop the service using the systemctl utility:

        sudo systemctl stop apparmor
    

Once you've stopped the service, verify its status with:

        systemctl status apparmor
    

Now you can easily disable AppArmor by running:

        sudo systemctl disable apparmor
    
apparmor stopped and disabled on Ubuntu

It's fine if you only want to disable the service and not remove it. However, if you want to remove it as well, execute:

        sudo apt-get remove apparmor -y
    

For the changes to take effect, reboot your Ubuntu machine:

        sudo reboot
    

Step 3: Install SELinux on Ubuntu

Before installing SELinux, you must know that its installation involves a risk. The service can leave your system unstable, so make sure to back up your system before proceeding with it.

If you are using a virtual environment, take a snapshot of the Ubuntu virtual machine (VM) before making any changes to your system.

To install SELinux and its essential dependencies on Ubuntu, run:

        sudo apt-get install policycoreutils selinux-utils selinux-basics -y
    

After installing SELinux and its dependencies, activate the service using:

        sudo selinux-activate
    

Step 4: Set SELinux Modes on Ubuntu

There are four different modes available in SELinux:

  1. Disable mode
  2. Enable mode
  3. Permissive mode
  4. Enforcing mode

The first mode, disable, tells by its name what purpose it serves. If you have set the SELinux mode to disable, this means the service is not active on your system. On the other hand, the enable mode is the opposite, meaning the SELinux service is running on your system.

When the SELinux mode is set to enable, you can use permissive or enforcing mode. You should use the permissive mode when you only need to monitor the interactions. But if you want to filter as well as monitor interactions, make use of the enforcing mode.

To set the SELinux mode to enforcing, execute:

        sudo selinux-config-enforcing
    

You can also use this command instead to set the mode to enforcing:

        setenforce 1
    

To update the changes, reboot your system:

        sudo reboot
    

After the system reboots, check the status of SELinux to make sure it has been enabled:

        setstatus
    

If you want to set the mode to permissive, use:

        setenforce 0
    

After changing the mode, you should always reboot.

        sudo reboot
    

Use either of the two commands to check the status of the service and verify the changes you just made:

        setstatus
getenforce
selinux current mode is set to permissive

The getenforce command only prints the current mode on the terminal. However, the setstatus command gives more details on the mode that is currently set on your system.

You can also check the current modes by accessing the /etc/sysconfig/selinux file.

The permissive mode is more flexible compared to enforcing. This mode doesn’t block all requests and keeps a log file to store an event if there is a rule violation.

Accessing the SELinux Log File on Ubuntu

You will find SELinux logs in the audit.log file stored in the /var/log/audit directory.

To view SELinux logs, run:

        grep selinux /var/log/audit/audit.log
    

How to Disable SELinux on Ubuntu

Let’s now explore how to remove or disable SELinux on Ubuntu. There are two methods you can use to do so:

1. Temporarily Disable SELinux

When you temporarily disable SELinux, you immediately stop its enforcement and continue with SELinux in an inactive state until the next system reboot. After the reboot, SELinux will return to enforcement.

To temporarily disable SELinux, first, you need to become a root user:

        sudo -i
    

Now disable SELinux with:

        echo 0 > /selinux/enforce
    

You can also use the setenforce tool instead to disable SELinux for the current session:

        setenforce 0
    

2. Permanently Disable SELinux

You can also permanently disable SELinux using its configuration file so it doesn’t return to enforcement after every reboot.

To disable SELinux, open the configuration file located in the /etc/selinux/config directory:

        sudo nano /etc/selinux/config
    

Look for the line “SELINUX=enforcing” in the file contents and change it to “SELinux=disabled”.

selinux configuration file is displayed on Ubuntu

Once done, save and exit the file by pressing Ctrl + X, then Y, and hit Enter.

How to Uninstall SELinux on Ubuntu

If you no longer want to use SELinux and need to remove it because of instability issues, run:

        sudo apt-get install policycoreutils selinux-utils selinux-basics -y
    

The above-stated command will completely remove SELinux and its dependencies from your system.

Add Additional Security to Linux Using SELinux

SELinux can provide extra protection by limiting the spread of a security breach. Additionally, it can secure web servers based on the SELinux mode you selected. You can either set the mode to permissive or enforcing.

Besides that, there are other measures you can take to keep your Linux system secure such as using strong passwords. You can ask your Linux machine to generate strong passwords for you by using multiple command-line tools such as apg, gpg, pwgen, etc.