SELinux in home server environment

So I recently setup a Fedora 25 instance for my server to basically act as a NAS with ZFS and also virtual machine host. When I was setting up remote desktop and ssh I ran into SELinux causing issues. I did some light reading and got impatient and decided to disable it and FirewallD to allow me to get things going faster and not have to spend the time dealing with setting those services up properly.
I am looking into re-enabling these two services and properly configuring them on my home server since the entire point to my machine is to learn Linux servers.
My question is how do you guys handle SELinux and firewalld on your home machines or maybe even in the workplace?
Please give any further thoughts you have on either service as well. If i understand correctly not all distros use SElinux and possibly a few don't have firewall turned on by default,

1 Like

I only allow ssh on the intranet. Block it externally.

there is a package called firewall-config or config-firewalld that you have to have on you r system to control firewalld comfortably. It normally comes preinstalled.

It's a graphical front-end with predefined "services", that allow you to allow those services instead of going port per port. It will also avoid further SELinux problems, because SELinux works by switching the profiles for operations on a parent->child basis, well, how that works was recently discussed on the forum, there is no need to repeat it here, it will just work.

So go into config-firewalld, switch from runtime to permanent, in the zone of your adapter, then select ssh in the list of services, and allow, then reload the firewall in the menu, done.

2 Likes

Appreciate it. I'll give that a try.

SELinux is separate from FirewallD correct? Do they work together?

Firewalld is the control module for nftables, which is a kernel function. The switching of profiles that firewalld offers, is linked into systemd, and works together with network manager, SELinux or Apparmor, the notifcation system of your desktop environment, etc...
Firewalld, like SELinux, detects the services that are started and that request specific access, through systemd.
However, everything in linux is a file, everything is basically portable. If you do not define certain functional links in files, linux just works without. That is not soooooo dangerous per se. What is dangerous, is to do the same on systems of which the main security feature is that they are stateless, meaning they can run without environment variables completely, like Android, ChromeOS, ClearLinux, but also the preinstalled linux boxes in IoT devices or smartTV's.

@Baz is pretty good with SELinux policies, I would definitely ask him for help. I'm only learning and mostly dealing with sandboxing.

1 Like

He did the video on it right? I thought I had that saved. I remember watching it but was doing 5 other things and did not give it my full focus.

1 Like

I'll make another vid on Sunday going through contexts and some policies.

1 Like