This guide provides a comprehensive explanation of managing Linux process priorities using ps, jobs, nice, and renice, alongside an in-depth overview of SELinux (Security-Enhanced Linux), its modes, configurations, and its role in securing system resources like files, folders, and ports.
- View Processes
- Understanding PRI and NI
- Changing Process Priority with Nice
- Modifying Priority of a Running Process with Renice
- What is SELinux?
- SELinux Enforcement Modes
- Disabling SELinux
- SELinux Security Scope
- SELinux File Contexts and Managing Permissions
a)Command:
Displays a list of running processes for the current user.
b)View Background Jobs:
Displays the current background jobs and their status.
c)Detailed Process List:
Shows detailed information about processes, including:
- PRI (Priority): Determines the scheduling priority of a process.
- NI (Nice value): A user-defined adjustment for process priority.
PRI (Priority):
- Range: 0 to 139.
- Real-time processes: Priority 0–99 (higher priority).
- Normal processes: Priority 100–139 (lower priority).
- A lower PRI value indicates a higher priority.
NI (Nice Value):
- Range: -20 to 19.
- Negative NI: Increases priority (e.g., -20).
- Positive NI: Decreases priority (e.g., 19).
- The NI value adjusts the priority by influencing the PRI value.
Key Points:
-
a)PRI and NI Relationship: PRI=20+NI(for normal processes)
-
b)Real-Time Processes: Real-time priorities range from 0–99 and are not influenced by NI.
-
c)Effect of NI:
- Negative NI → Higher priority.
- Positive NI → Lower priority.
-
d)Default NI: The default NI value is 0.
By adjusting the NI value, you indirectly control the PRI and influence how the scheduler prioritizes a process.
a) Start a process with a specific nice value:
nice -n <value> <command>
Example:
Starts the sleep command with a nice value of 10, reducing its priority.
b) Check Priority:
Observe the PRI and NI values for the process.
a) Change Priority of an Existing Process:
renice -n <nice_value> -p <PID>
Example:
Sets the nice value of the process with PID 2717 to -20, giving it higher priority.
b) Verify Changes:
The updated PRI and NI values will reflect in the process list.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides mandatory access control (MAC). Unlike traditional discretionary access controls (DAC), SELinux enforces strict security policies on processes, files, folders, and network ports, regardless of user permissions.
Key Features of SELinux:
- Enhanced Security: SELinux restricts applications and processes to operate only within their designated security contexts.
- Prevention of Unauthorized Access: Policies ensure that even root users cannot bypass restrictions.
- Granular Control: SELinux policies allow fine-grained control over access to files, directories, and ports.
Enforcing: Enforces SELinux policies.
Permissive: Logs policy violations without enforcing them.
Disabled: SELinux is turned off.
- To set SELinux to permissive mode (logs only):
- To enforce SELinux policies:
a) Temporarily Disable SELinux: Use setenforce to switch to permissive mode or disable SELinux temporarily without a reboot:
b) Permanently Disable SELinux:
Edit the SELinux configuration file:
vim /etc/selinux/config
Update the following line:
c) Restart the system for the changes to take effect:
reboot
Warning: Disabling SELinux removes its protections, exposing the system to potential vulnerabilities. Use with caution.
SELinux provides security for the following:
-
Folders: SELinux ensures that directories have proper security contexts. For example, a web server process can only access web-related folders.
-
Files: Each file is assigned a security context, preventing unauthorized access even by privileged users.
-
Ports: SELinux restricts network services to operate only on designated ports, ensuring safe communication.
You can check the SELinux context of files using the ls -z command. The SELinux context includes three parts: user, role, and type. For example, running the following commands:
Explanation:
unconfined_u:object_r:admin_home_t:s0: This is the SELinux context of the files new and x. It indicates that the files are labeled for user unconfined_u with the object role object_r and the type admin_home_t.
When working with web content, such as files in /var/www/, you'll see the SELinux contexts related to Apache:
Explanation:
httpd_sys_script_exec_t: Used for scripts executed by Apache (e.g., CGI scripts in the cgi-bin directory). httpd_sys_content_t: Used for web content that Apache serves (e.g., HTML files in the html directory).
If you need to change the SELinux context of a file, you can use chcon. For example, to change the context of a file to httpd_sys_content_t (which is appropriate for files served by Apache), you can run:
This changes the type of the file new to httpd_sys_content_t, which is used for web content served by Apache.
To restore the default context settings on a file or directory, use restorecon:
This will revert the file new to its default SELinux context based on its location and the security policy.
SELinux policies are often controlled through booleans, which allow system administrators to control certain permissions without modifying the policy. For example, to disable the zoneminder_run_sudo boolean temporarily, you can use:
setsebool zoneminder_run_sudo off This command temporarily turns off the zoneminder_run_sudo boolean, which can prevent the service from running with elevated privileges.
To make the change persistent across reboots, use the -P flag:
This command sets the zoneminder_run_sudo boolean permanently to "off" across system reboots.
- Common SELinux Management Commands Viewing the status of SELinux booleans:
This command shows the current status of all SELinux booleans on the system.
To temporarily change a boolean:
setsebool <boolean_name> <on|off>
To permanently change a boolean:
setsebool -P <boolean_name> <on|off>
- Use getenforce and setenforce for temporary mode changes without rebooting.
- SELinux policies are highly customizable; explore /etc/selinux for configuration files.