What is SELinux?
Security-Enhanced Linux (SELinux) is a security architecture created by the United States National Security Agency (NSA) and Red Hat for Linux® systems that allows administrators to have more control over who can access the system. It was developed in a series of patches to the Linux kernel using Linux Security Modules (LSM). It is meant to provide a Mandatory Access Control (MAC) system built into the Linux kernel.
How SELinux Protects Resources
A crucial security function in Linux is served by SELinux, which enables far more accurate access control to files and other resources than user permissions.
Access to users or groups of users to particular files is governed by file permissions. However, even if that use is not how the file should be used, a user who has read or write access to a particular file is free to use it anyway they see fit. For instance, if someone has write access to a file, should they permit other editors to open it and make changes that can harm a structured data file that can only be written to with a specific program? Such unauthorized access cannot be stopped by file permissions. They merely restrict who is permitted to read, write, or run a file; they were never intended to regulate how a file is used.
For each binary executable, configuration file, and data file utilized by a program, SELinux is made up of sets of rules that are specified by the application authors. These policies specify precisely what actions and accesses are appropriate and authorized. One policy is developed to cover the operations of just one application, which is why it is known as a targeted policy. Programs, files, and network ports all have labels that are predefined and declared by policies.
Why use Security Enhanced Linux(SELinux)
- Not every security issue can be predicted in advance. SELinux enforces a set of access rules that prevent a weakness in one application from affecting other applications or the underlying system.
- SELinux provides an extra layer of security – A layer of complexity which can off-putting to people new to this subsystem.
SELinux Modes
Enforcing
: SELinux is enforcing access control rules. Computers generally run in this mode.Permissive
: SELinux is active but instead of enforcing access control rules, it records warnings of rules that have been violated. This mode is used primarily for testing and troubleshooting.Disabled
: SELinux is turned off entirely: no SELinux violations are denied, nor even recorded. I highly discourage this mode.
SELinux is meant to provide a Mandatory Access Control (MAC) system built into the Linux kernel.
Change the current SELinux mode
From the command-line, SELinux provides us with the tools to display and change modes.
To determine the current SELinux mode, run the getenforce
command. To set SELinux to a different mode, use the setenforce
command:
[tech-admin@technnix-host ~]# getenforce Enforcing [tech-admin@technnix-host ~]# setenforce usage: setenforce [ Enforcing | Permissive | 1 | 0 ] [tech-admin@technnix-host ~]# setenforce 0 [tech-admin@technnix-host ~]# getenforce Permissive [tech-admin@technnix-host ~]# setenforce Enforcing [tech-admin@technnix-host ~]# getenforce Enforcing
Set the default SELinux mode
To persist the changes, we need to configure the /etc/selinux/config
file. In the example below, we are changing the SELinux mode to enforcing
.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes # are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
/etc/selinux/config
file is read at boot time and configures SELinux accordingly.
Refs
Please visit the SELinux man pages: getenforce(8), setenforce(8), & selinux_config(5)