Security-Enhanced Linux (SELinux) is a Linux® security architecture that gives administrators more control over who can access the system. It was initially developed as a series of patches to the Linux kernel using Linux Security Modules by the United States National Security Agency (NSA) (LSM).
In 2000, SELinux was released to the open-source community, and in 2003, it was integrated into the upstream Linux kernel.
How does SELinux work?
SELinux defines access controls for a system’s applications, processes, and files. To enforce the access permitted by a policy, it employs security policies, a set of rules that tell SELinux what can and cannot be accessed.
When an application or process, known as a subject, requests access to an object, such as a file, SELinux checks with an access vector cache (AVC), where permissions for subjects and objects are cached.
If SELinux cannot make an access decision based on cached permissions, it sends the request to the security server. The security server examines the app’s or process’s security context and the file. The SELinux policy database is used to apply security context. Permission is either granted or denied at this point.
If permission is denied, an “avc: denied” message will appear in /var/log.messages.
How to configure SELinux?
You can configure SELinux to protect your system in a variety of ways. Targeted policy or multi-level security are the most common (MLS).
The default option is targeted policy, covering a wide range of processes, tasks, and services. MLS is a complex system that is typically used only by government agencies.
The /etc/sysconfig/selinux file can tell you what your system is supposed to be running at. A section of the file will show you whether SELinux is in permissive mode, enforcing mode, or disabled and which policy is supposed to be loaded.
SELinux labeling and Type Enforcement
The essential concepts for SELinux are type enforcement and labeling.
SELinux functions as a labeling system, which means that all files, processes, and ports in a system are assigned an SELinux label. Labels are a logical way of categorizing things. During boot, the kernel manages the labels.
User:role:type:level is the format for labels (level is optional). More advanced SELinux implementations, such as MLS, user, role, and level are used. For targeted policy, the label type is the most important.
To enforce a system-defined policy, SELinux employs type enforcement. Type enforcement is a component of a SELinux policy that specifies whether a process running with a specific type can access a file labeled with a particular type.
How to Enable SELinux
If your environment doesn’t have SELinux, you can enable it by editing /etc/selinux/config and setting SELINUX=permissive. You don’t want to set SELinux to enforcing right away because the system will most likely have things mislabeled that will prevent the system from booting.
By creating an empty file named.autorelabel in the root directory and rebooting, you can force the system to relabel the filesystem automatically. Set SELinux to enforcing with /etc/selinux/config and reboot, or run setenforce 1 after everything has been relabeled. If the system has too many errors, you should reboot in permissive mode for the boot to succeed.
If a sysadmin is not comfortable with the command line, graphic tools for managing SELinux are available.
SELinux is a built-in security layer in Linux distributions that adds an extra layer of security to your system. It should be left to protect your system if it is ever hacked.
Discretionary Access Control (DAC) vs. mandatory Access Aontrol (MAC)
DAC has traditionally been used on Linux and UNIX systems. SELinux is an example of a Linux MAC system.
DAC assigns owners to files and processes. You can have a user own a file, a group own a file, or someone else own a file. On their files, users can change permissions.
With a DAC system, the root user has complete access control. You can access any other user’s files or do whatever you want on the system if you have root access.
HOWEVER, on MAC systems, such as SELinux, access is controlled by administrative policy. Even if your home directory’s DAC settings are changed, a SELinux policy that prevents another user or process from accessing the directory will keep your system safe.
You can be very specific with SELinux policies and cover a lot of processes. SELinux allows you to limit access between users, files, and directories, among other things.
How to Resolve SELinux Errors
When you get a SELinux error, a problem needs to be fixed. It’s most likely one of these four common issues:
- The labels are wrong.
If your labeling is incorrect, you can use the tools to fix the labels.
- A policy needs to be fixed.
This could mean that you need to inform SELinux about a change you’ve made, or you might need to adjust a policy. You can fix it using booleans or policy modules.
- There is a bug in the policy.
It could be that a bug exists in the policy that needs to be addressed.
- The system has been broken into.
Although SELinux can protect your systems in many situations, there is still the possibility of a system being compromised. Take action right away if you suspect this is the case.
Booleans?
In SELinux, booleans are on/off switches for functions. SELinux capabilities can be turned on or off using hundreds of settings, many already predefined. By running getsebool -a, you can see which booleans have already been set in your system.