1. Home
  2. Linux
  3. Securing an ubuntu linux server with selinux

Securing an Ubuntu Linux server with SELinux

SELinux is a robust and customizable security system that is shipped by default on many Linux operating systems, such as Fedora and RHEL. If you would like to add extra security to your Ubuntu server, follow along as we show you how to secure your Ubuntu Linux server with SELinux.

How to disable AppArmor on Ubuntu

Ubuntu uses AppArmor by default. It’s a great system that does roughly what SELinux claims to do. However, if you wish to use SELinux instead, you’ll need to disable AppArmor. To disable AppArmor on Ubuntu Server, do the following.

First, SSH into your Ubuntu server system (or physically sit at it and use the terminal). Once you’ve logged into the terminal, use the systemctl disable command to disable AppArmor from your Ubuntu system.

sudo systemctl disable apparmor --now

After running this command, you can use the systemctl status command to check whether AppArmor is indeed disabled. If it isn’t, try rebooting and running the systemctl disable command again.

systemctl status apparmor

How to install SELinux on Ubuntu

Before using SELinux on your Ubuntu system, you need to install it. Installing SELinux on Ubuntu requires a few packages, specifically, the “policycoreutils,” “selinux-utils,” and “selinux-basics” packages. To install these packages, use the following command:

sudo apt install policycoreutils selinux-utils selinux-basics

After installing the packages above, SELinux will be installed on your Ubuntu system. However, you will not be able to take full advantage of SELinux on your Ubuntu server until it is activated.

To activate SELinux on your Ubuntu Server system, use the selinux-activate command. This command will modify Ubuntu Server’s Grub bootloader to work with SELinux and enable it at boot.

sudo selinux-activate

With SELinux activated, enable SELinux enforcement by using the selinux-config-enforcing command.

sudo selinux-config-enforcing

After activation, you must reboot the Ubuntu Server. Use the sudo reboot command to restart your system.

sudo reboot

When the system has finished rebooting, log back into your server using your user account.

How to configure SELinux

While SELinux enforcement is enabled, you must still configure it to suit your needs. There are dozens and dozens of SELinux policies that you can turn on for better security on the Ubuntu Server.

To start, list the available SELinux policies that your system has disabled. You can list these SELinux policies with the semanage boolean -l command.

semanage boolean -l

Look through the policies you wish to enable. For example, if you wish to enable “use_nfs_home_dirs” in your SELinux enforcement policies, you can enable it by running the following command.

Note that “1” is equivalent to enabling something in SELinux with the setsebool command.

sudo setsebool -P use_nfs_home_dirs 1

If you wish to disable “use_nfs_home_dirs” in your SELinux enforcement policies, you can use the setsebool command but change the “1” to a “0”. The “0” is the same as writing “disable.”

sudo setsebool -P use_nfs_home_dirs 0

How to disable unneeded values with SELinux

There are several SELinux values enabled that you may not need. Turning off these values in SELinux on your Ubuntu system will significantly increase your security. To view enabled SELinux values, run the following getsebool -a command in a terminal.

sudo getsebool -a | grep -E '\b\w+\b\s+-->\s+on\b'

The command above will output each value enabled. Look through these enabled values and determine if you wish to leave them enabled. For example, if you are not using a Squid server, you may not need “squid_use_pinger” enabled, etc.

Once you’ve determined what value(s) you wish to disable, you can run the following setsebool command. This command will change the policy from enabled to disabled in your SELinux configuration.

sudo setsebool -P VALUE_NAME 0

Re-enabling AppArmor on Ubuntu Server

If you have decided that you do not want to use SELinux on Ubuntu Server, here’s how to revert to AppArmor. First, open up a terminal and use the following “sed” command to disable SELinux in its configuration file.

sudo sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

After adding “disabled” to the SELinux configuration file, you need to reboot. When you reboot, SELinux will not run at boot.

sudo reboot

Upon logging back in, you can re-enable AppArmor on Ubuntu by using the systemctl enable command.

sudo systemctl enable apparmor

After enabling the AppArmor service, start it up on your Ubuntu system by running the following systemctl start command.

sudo systemctl start apparmor

You can check whether AppArmor is running correctly on your Ubuntu system by using the systemctl status command.

systemctl status apparmor