Configuring SELinux

SELinux is a security framework which some distributions of Linux come with - notably Redhat Linux. There are different opinions within the Linux administration community as to whether SELinux is worth the effort or not.

We certainly were surprised the first time we encountered this while installing Iguana on Redhat linux. How do you know if you need to configure SELinux for your linux server?

Typically problems manifest with Iguana not being able to be started as a systemd service.

The first thing is you can run this command to see if SELinux is running on your system:

getenforce

It should return either Enforcing, Permissive, or Disabled. For adjusting policies, it's helpful to have it in Permissive mode so you can collect all necessary logs without it blocking anything.

You can switch to permissive mode to allow actions but log denials using:

sudo setenforce 0

After running this command you probably will be able to start Iguana using:

sudo ./iguana --service start

You can see if Iguana is running by using:

The if Iguana can is running you can either figure out how to connect your browser or if it is important to your organization to use SELinux, read to figure out how to configure SELinux to allow Iguana to run.

Configuring SELinux

SELinux typically logs to /var/log/audit/audit.log which is where you can see if your SELinux rules are working. This requires root access so if you want to look at this file you will do something like:

Create iguana.te file

To you want to re-enable SElinux then you’ll to create a SELinux policy that will allow you to run Iguana then create a file called iguana.te in your home folder or another convenient place with this content:

The file needs to compiled and registered. The following commands will do it:

Then:

Then:

After that you can switch SELinux back on with:

How do you test if you were successful? Try restarting the service and seeing if it is working with these commands:

And then:

We are not sure how many of our customers choose to run SELinux but we open to having a dialog and helping you configure this with your Linux distribution.

 

Related pages