What is SELinux?
The Linux kernel includes a built-in access control system called SELinux. This process enforces the resource policies that determine what level of access a program, user, or service has to a system.
It is a security architecture that empowers administrators to have greater control of who can access a Linux system thanks to its Security-Enhanced Linux (SELinux) features. A series of patches to the Linux kernel using Linux Security Modules (LSM) was developed by the United States National Security Agency (NSA).
As the upstream Linux kernel was updated in 2003, SELinux was released to the open-source community.
How does SELinux work?
A system’s applications, processes, and files can be controlled using SELinux. To enforce the access permitted by a policy, it uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed.
SELinux checks the access vector cache (AVC) for permissions when a subject tries to access an object, such as a file, when it receives a request from a subject.
SELinux sends requests for access if it is unable to decide based on cached permissions. A security server determines the security context of the app or process and the file. SELinux policy database is used to apply the security context. A decision is then made regarding permission.
/var/log.messages will contain an “avc: denied” message if permission is denied.
How to configure SELinux?
SELinux can be configured in a variety of ways. Targeted policies and multi-level security (MLS) are the most common.
By default, targeted policies cover processes, tasks, and services. MLS is usually only used by government organizations due to its complexity.
Selinux information can be found in the file /etc/sysconfig/SELinux. SELinux policy loading should be displayed in the file as well, as well as whether it is in permissive, enforcing, or disabled mode.
Enabling and disabling SELinux
To enable SElinux, edit /etc/SELinux/config and set SELINUX=permissive if SELinux is disabled in your environment. It is best to don’t enable SELinux right away because it might cause mislabeled files that won’t start the system.
Creating a file in the root directory named .autorelabel and rebooting will cause the system to automatically relabel the filesystem. You should reboot the system while in permissive mode if the system has too many errors. With /etc/SELinux/config on enforcing, restart SELinux after everything has been relabeled, or use setenforce 1 command.
To disable SElinux, edit /etc/selinux/config and set SELINUX=disable
SELinux can also be managed with graphic tools if the sysadmin is less familiar with the command line.
Discretionary access control (DAC) vs. mandatory access control (MAC)
DAC is traditionally used in Linux and UNIX platforms. A MAC system for Linux is SELinux.
A DAC file or process has an owner. Users, groups, or other parties may own a file. File permissions can be changed by users.
With a DAC system, the root user has full access control. The root user is able to access any user’s files on the computer and do whatever they please.
However, on MAC systems like SELinux, access is controlled by an administrative policy. SELinux policies will prevent another user or process from accessing your home directory even if DAC settings are changed.
SELinux policies provide specific control over several processes at once. You can set limits for files, directories, users, and more with SELinux.
How to handle SELinux errors
SELinux errors mean there is something wrong. Most likely, it’s one of these 4 problems:
1. The labels are wrong. Using the tools, you can fix labels if they are incorrect.
2. A policy needs to be fixed. SELinux may need to be informed of a change you made, or a policy may need to be adjusted. Booleans and policy modules can be used to fix it.
3. There is a bug in the policy. You may need to refer to the policy to determine if there is a bug.
4. The system has been broken into. It is possible to compromise your system even with SELinux, which offers protection in many situations. Take immediate action if you suspect this is the case.
Benefits of running SELinux
SELinux provides the following benefits:
· Each process and file has a label. Process interaction with files and between processes is governed by SELinux policy rules. SELinux policy rules only allow access if they specifically permit it.
· Control of access at a finer level. By contrast, SELinux offers access decisions based on the available information, such as SELinux roles, types, and, optionally, security levels, in addition to traditional UNIX permissions, which are at the users’ discretion and based on Linux user IDs.
· System-wide SELinux policies are administrated by administrators.
· In addition to protecting processes from untrusted inputs, SELinux can enforce data confidentiality and integrity.
The following is not true of SELinux:
· Software that protects against viruses,
· Passwords, firewalls, and other security systems are replaced,
· A security solution that is all-in-one.
Securing Linux with SELinux does not replace existing security solutions. It is important to keep up-to-date with software, use hard-to-guess passwords, and install a firewall when running SELinux.
SELinux states and modes
There are three ways to run SELinux: enforcing, permissive, or disabled.
· It is preferred to run SELinux in enforced mode as it will carry out its security policy normally on the entire system.
· While operating in permissive mode, SELinux appears to enforce the loaded security policies, including labeling objects for denial and logging access denials, but no access is actually denied. However, a permissive mode can be helpful when developing and debugging SELinux policies.
· SELinux disabled mode is strongly discouraged, as not only will SELinux not enforce its policy, but it will not be able to label any persistent objects, making it difficult to enable later.
setenforce can be used to switch between enforcing and permissive modes. Reboots do not maintain changes made with setenforce. Use the setenforce 1 command as root to change to the enforcing mode. The setenforce 0 command enables permissive mode. View the current SELinux mode using the getenforce utility:
Individual domains can be set to permissive mode while the system is enforced in Red Hat Enterprise Linux. As an example, making the httpd_t domain permissive would be as follows:
You should be aware that permissive domains do pose a risk to your system’s security. When debugging a specific scenario, Red Hat recommends using permissive domains with caution.
