SELinux Troubleshoot Fedora 16

The security features in Fedora make it one of my favorite Linux distributions. And that is partly why it is in my list of the top 6 KDE distributions of 2011, even though it takes some tweaking to get it to the it just works state. I will take the security advantages of an operating system over any user-friendliness weaknesses, provided those user-friendliness weaknesses are not show stoppers.

Two of the four security features in Fedora 16 are enabled out of the box. The others are optional features that can be configured during installation. So, let us look at those two optional security features first.

Boot Loader Password: Access to the boot loader’s console is one of the easiest means to gain access to the innards of a system. By password-protecting it, you make it that much difficult for an unauthorized user to gain access at that level. The screen shot below shows the boot loader setup step.
Fedora 16 GRUB Password

Specifically, you would want to password-protect GRUB 2, the boot loader used in Fedora 16, for the following reasons:

  • Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user.
  • Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command’s interface to change its configuration or to gather information using the cat command.
Related Post:  Install MATE on Fedora 18

Disk encryption is the top physical security measure that you can use to protect your data. And very few distributions make it as easy to configure as Fedora. All that is needed to install Fedora 16 on an encrypted file system, is to … well, enable the “Encrypt system” option at the disk partitioning options steps of the installation process. The step is shown in the screen shot below.
Fedora 16 Partition Methods

On a default installation (using LVM, the Linux Logical Volume Manager), the Physical Volume is encrypted, giving you an encrypted LVM installation.
Fedora 16 Encrypted LVM

If the “Use LVM” option is unchecked, that is, disabled, the installer creates the partitions shown in this image. the individual partitions are encrypted, but all are encrypted with a universal passphrase.
Encrypted GPT Partitions

The end result, whether using LVM or not, is that the system will not boot completely if the correct passphrase is not entered.
Specify Encryption Passphrase

Stateful Package Filtering Firewall: In Fedora 16, the firewall is activated out of the box, and a graphical interface for managing it is installed and configured. The firewall is operating in stateful mode, which means that all outgoing connections from the system are allowed, while any incoming connection not related to an entry in the State Table is denied. The state table holds information (IP addresses, ports numbers, etc) about known active connections passing though a stateful firewall. The main interface of the graphical firewall manager is shown here. Note that while ssh connections are allowed out of the box, the ssh server itself is not active.
Fedora 16 Graphical Firewall Manager

Related Post:  Mageia's upgrade script vs FedUp

Application Firewall: While a Stateful Package Filtering Firewall regulates traffic in and out of the system, a host-based application firewall determines what applications can and cannot do inside the system. In Fedora 16, that service is provided by SELinux, one of 3 application-level firewalls in Linux. By default, SELinux is enabled in enforcing mode. In previous editions of Fedora, it was not uncommon for SELinux alert messages to pop up within a few minutes of using a new installation. And in most instances, that led to the disabling of SELinux. I have been using an installation of Fedora 16 for more than four days now, but there are no alert messages so far. The screen shot below is my witness.
SELinux Troubleshoot Fedora 16


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Hola! Did you notice that no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

10 Responses

  1. None of this is specific to Fedora; for instance OpenSUSE has bootloader password, encryption, IPtables firewall and AppArmor as well.

    1. The article is about Fedora, not any other distribution, and no where in the article does it even imply that these features are exclusively Fedora’s.

  2. Thanks for the article, but I have a few comments:

    I don’t really agree on the fact that SELinux is an application firewall. See the wikipedia page on SELinux. A firewall acts on the network and blocks known attacks before it reaches the host. SELinux is a component that adds another security layer over the basic UNIX permissions. It can help mitigate application attacks, but it is not the same thing as an application firewall.

    Also, your description of a stateful firewall is not completely accurate. Again, see the wikipedia page for stateful firewall. A stateful firewall has been available in Linux for ages (iptables, since kernel 2.4). Your definition of the statefulness is a mix of the real definition and the default policy. The policy is that all outgoing packets is allowed (default allow for outbound packets) and nothing is permitted inbound except SSH. The statefulness of a firewal is based on the fact that when a packet goes out of an interface, information is tracked about it so that when the reply packet comes back to the firewall, it is accepted (you got that part right). Actually, I don’t think there is still sateless firewalls around. Home/SOHO routers are all statefull.

    1. Application firewall doesn’t necessarily have anything to do with blocking network attacks. Instead it restrict applications from performing certain actions, for example prevent an application from accessing a particular directory.

      I can tell you from my own experience that by default there is no SSH inbound connection enabled in f16. I had to install SSH server and then configure my firewall to allow incoming SSH request. So the author is correct about SSH.

          1. I agree, AppArmor is there. It is a host-based application firewall. I didn’t read far enough, my bad. However, in the wikipedia article about SELinux, firewall is not mentionned. Sometimes, the lines are in computing…

  3. i use this distro too. SELinux pops up after installing Chromium and/or Chrome Web Browser, then provides instructions on how to allow the use of the said applications.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.


The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.