Allows defining permissions for all processes (called subjects) that interact with other parts of the system.
Achieved through security policy over all processes and objects.
All of these processes and objects are controlled through the kernel.
Ownership of a file object has risky control over the object.
Apache HTTP server can perform any operation on files.
The malicious or broken software can have root-level access to the entire system.
SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. SELinux defines the access and transition rights of every user, application, process, and file on the system.
SELinux Decision Making Process :
When a subject, attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached.
If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix.
Permission is then either granted or denied, with an
avc: denied message detailed in
/var/log/messages if permission is denied.
The security context of subjects and objects is applied to the installed policy, which also provides the information to populate the security server's matrix.
SELinux Operating Modes :
SELinux can run in permissive mode, where the AVC is checked. And is useful for troubleshooting and for developing or fine-tuning SELinux policy.
Describe SELinux configuration files and Pseudo file systems.
1) Pseudo file systems
Similar to the
/proc/ pseudo-file system.
sample contents of the
-rw-rw-rw- 1 root root 0 Sep 22 13:14 access dr-xr-xr-x 1 root root 0 Sep 22 13:14 booleans --w------- 1 root root 0 Sep 22 13:14 commit_pending_bools -rw-rw-rw- 1 root root 0 Sep 22 13:14 context -rw-rw-rw- 1 root root 0 Sep 22 13:14 create --w------- 1 root root 0 Sep 22 13:14 disable -rw-r--r-- 1 root root 0 Sep 22 13:14 enforce -rw------- 1 root root 0 Sep 22 13:14 load -r--r--r-- 1 root root 0 Sep 22 13:14 mls -r--r--r-- 1 root root 0 Sep 22 13:14 policyvers -rw-rw-rw- 1 root root 0 Sep 22 13:14 relabel -rw-rw-rw- 1 root root 0 Sep 22 13:14 user
2) SELinux Configuration Files
File systems located in the /etc/ directory.
1. The /etc/sysconfig/selinux Configuration File
There are two ways to configure SELinux: using the SELinux Administration Tool (system-config-selinux), or manually editing the configuration file (/etc/sysconfig/selinux).
The full subset of options available for configuration:
SELINUX=enforcing|permissive|disabled— Defines the top-level state of SELinux on a system.
enforcing— The SELinux security policy is enforced.
permissive— The SELinux system prints warnings but does not enforce the policy.
disabled— SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.
SELINUXTYPE=— Specifies which policy SELinux should enforce.
targeted— Only targeted network daemons are protected.
strict— Full SELinux protection, for all daemons. Security contexts are defined for all subjects and objects, and every action is processed by the policy enforcement server.
SETLOCALDEFS=— Controls how local definitions (users and booleans) are set. Set 1, if controlled by
load_policyor set it to 0, if controlled by
2. The /etc/selinux/ Directory
The /etc/selinux/ directory is the primary location for all policy files as well as the main configuration file.
3) SELinux Utilities
/usr/sbin/setenforce— Modifies in real-time the mode in which SELinux runs.
/usr/sbin/sestatus -v— Displays the detailed status of a system running SELinux.
/usr/bin/newrole— Runs a new shell in a new context, or role.
/sbin/restorecon— Sets the security context of one or more file.
/sbin/fixfiles— Checks or corrects the security context database on the file system.