How to secure your Ubuntu 22.04 default installation with SELinux

Yves Soete
2 min readMar 2, 2024

--

02-MAR-2024- Written by Yves Soete — Blacksight LLC -visit us for our free security scanner on scanner.blacksight.io

Get notified when new articles drop — visit blacksight.io/blog to subscribe

SELinux makes Linux systems more secure

Running the Ubuntu distro as a server or as a desktop as default might not be the smartest choice if you want to be as secure as possible. SELinux is a security enhancement to Linux based security sensitive projects. We advice installing SELinux op top of the default Ubuntu 22.04 server or desktop install.

The default Ubuntu install will setup AppArmor, a Linux application security system which is an ease to use setup, but SELinux might be a better solution for more secure demands, customer setups or infra standardization. Both AppArmor and SELinux work through the Linux Security Module (LSM) interface but Linux only permits a single LSM to be active at the same time.

  1. Stop and disable AppArmor at startup
sudo systemctl stop apparmor 
sudo systemctl disable apparmor

2. Install SELinux & Enable SEL

sudo apt install policycoreutils selinux-basics selinux-utils -y
sudo selinux-activate

3. Check status of the install

getenforce

This should show the message Disabled.

sestatus

This should result in the status disabled

SELinux can be enabled in 2 states, Permissive or Enforcing, when setting it up initially it will be in the default permissive state.

Enforcing mode: SELinux will actively enforce the security policies, blocks any actions that violate the policy and logs the incident

Permissive mode: SELinux will log each system violation but will not enforce it, it is mostly used for debugging and testing policies created by SELinux

4. Reboot & Verify config status

Reboot the instance (remember to be able to access the server via the management console or make sure you can login with a user that has sudo access (no root remote ssh will be accessible with SELinux active) and after reboot check the config file.

  • note this can take a while since SELinux will relabel your files and directories on first startup
cat /etc/selinux/config | grep SELINUX=permissive

check if it includes the line: SELINUX=permissive

4. Modify to enforcing

sudo nano /etc/selinux/config

Change the SELINUX=permissive to SELINUX=enforcing

5. Reboot and check status again

getenforce

Now you will see the system is set to Enforcing.

Congratulations, your system is hardened on NSA level protection with SELinux, if you need to dig deeper always check out the official documentation or project at https://github.com/SELinuxProject/selinux or contact us for help setting up your systems with SELinux at contact@blacksight.io

As a bonus use our free website vulnerability scanner at scanner.blacksight.io

Liked this article? Get notified when new articles drop! visit blacksight.io/blog to subscribe

--

--

Yves Soete

Yves is the Principal DevSecOps Engineer at blacksight.io, a cyber security company with a strong focus on blackbox penetration testing