SELinux Getting Started

Back in the Kernel 2.6 era, a new security system was introduced to provide a mechanism for access control security policies. This system is Security Enhanced Linux (SELinux), which was contributed by the National Security Agency (NSA) of the United States. It introduces a robust Mandatory Access Control architecture for Linux kernel subsystems.

If you've disabled or ignored SELinux throughout your Linux career, this article is for you: an introduction to the SELinux system that lives beneath your Linux desktop or server, restricting permissions and even eliminating the possibility of vulnerable programs or daemons causing damage.

Before I begin, you should already know that SELinux is primarily a tool available on Red Hat Linux and its derivative distributions. Similarly, Ubuntu and SUSE (and their derivatives) use AppArmor. SELinux and AppArmor are significantly different. You can install SELinux on SUSE, openSUSE, Ubuntu, etc., but it is incredibly challenging unless you are very proficient in Linux.

Having said that, let me introduce you to SELinux.

DAC vs. MAC

The traditional access control standard on Linux is Discretionary Access Control (DAC). In this form, a software or daemon runs as a User ID (UID) or Set owner User ID (SUID) and has the permissions of that user on objects (files, sockets, and other processes). This makes it easy for malicious code to run under specific permissions and gain access to critical subsystems.

On the other hand, Mandatory Access Control (MAC) enforces the isolation of information based on confidentiality and integrity to limit damage. This confinement unit operates independently of traditional Linux security mechanisms and has no concept of a superuser.

How SELinux Works

Consider the concepts related to SELinux:

• Subjects
• Target Objects
• Policy
• Mode

When a subject (such as a program) tries to access a target object (such as a file), the SELinux Security Server (in the kernel) runs a check from the policy database. Based on the current mode, if the SELinux security server grants permission, the principal can access the target. If the SELinux security server denies permission, a denial message is logged in /var/log/messages.

Sounds relatively simple, right? The actual process is more complicated, but to simplify the introduction, only the important steps are listed.

model

SELinux has three modes (which can be set by the user). These modes dictate how SELinux responds to principal requests. These modes are:

• Enforcing — SELinux policy enforcement, granting or denying access to a target based on SELinux policy rules
• Permissive - SELinux policy is not enforced, access is not actually denied, but denial information is written to the log
• Disabled — Completely disable SELinux

Figure 1: The getenforce command shows that SELinux is in the Enforcing state.

By default, SELinux on most systems is set to Enforcing. How do you know what mode your system is currently in? You can check this with a simple command, getenforce. This command is incredibly simple to use (since it only reports the mode of SELinux). To use this tool, open a terminal window and execute the getenforce command. The command will return Enforcing, Permissive, or Disabled (see Figure 1 above).

Setting the SELinux mode is actually quite simple - it depends on what mode you want to set it to. Remember: disabling SELinux is never recommended. Why? When you do this, there's a chance that your files on disk may be labeled with incorrect permissions, requiring you to relabel the permissions to fix them. And you cannot change the mode of a system that is started in Disabled mode. Your best mode is Enforcing or Permissive.

You can change the SELinux mode from the command line or from the /etc/selinux/config file. To set the mode from the command line, you can use the setenforce tool. To set Enforcing mode, do the following:

• Open a terminal window
• Execute su and enter your administrator password
• Execute setenforce 1
• Execute getenforce to confirm the mode has been set correctly (Figure 2)

Figure 2: Setting SELinux mode to Enforcing.

To set the mode to Permissive, do this:

• Open a terminal window
• Execute su and enter your administrator password
• Execute setenforce 0
• Execute getenforce to confirm the mode has been set correctly (Figure 3)

Figure 3: Setting SELinux mode to Permissive.

NOTE: Setting the mode via the command line will override the setting in the SELinux configuration file.

If you would rather set the mode in the SELinux command file, open that file with your favorite editor and find this line:

SELINUX=permissive

You can set the mode to your preference and save the file.

There is a third way to change the SELinux mode (through the bootloader), but I don't recommend this for new users.

Strategy Type

There are two types of SELinux policies:

• Targeted — Only targeted network processes (dhcpd, httpd, named, nscd, ntpd, portmap, snmpd, squid, and syslogd) are protected
• Strict — Full SELinux protection for all processes

You can change the policy type in the /etc/selinux/config file. Open this file with your favorite editor and find this line:

SELINUXTYPE=targeted

Change this option to targeted or strict to suit your needs.

Check the complete SELinux status

There is a handy SELinux tool that you may want to use to get a detailed status report on your SELinux-enabled system. This command is run in the terminal like this:

sestatus -v

You should see output similar to Figure 4.

Figure 4: Output of the sestatus -v command.

Just the skin

As you might expect, I've only scratched the surface of SELinux. SELinux is indeed a complex system, and getting a more solid understanding of how it works and how to make it work better for your desktop or server requires a deeper dive. I haven't covered troubleshooting and creating custom SELinux policies yet.

SELinux is a powerful tool that all Linux administrators should know. Now that you've been introduced to SELinux, I strongly recommend that you return to Linux.com (as more articles are published on this topic) or check out the NSA SELinux documentation for a more in-depth guide.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.