SELinux defines access controls for applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or cannot be accessed, to enforce access allowed by a policy.
When an application or process, known as a subject, makes a request to access an object, such as a file, SELinux
verifies with a vector access cache (AVC), where permissions are cached for subjects and objects
.
If SELinux cannot make an access decision based on cached permissions, it sends the request to the firewall. The firewall checks the security context of the application or process and the file. The security context is applied from the SELinux policy database. Permission is then granted or denied.
If permission is denied, an “avc:denied” message will be available in /var/log.messages
. How to configure SELinux There are several ways to
configure SELinux
to protect your system. The most common are targeted policy or multi-level security (MLS).
Targeted policy is the default and covers a wide range of processes, tasks, and services. MLS can be very complicated and is usually only used by government organizations.
You can tell what your system is supposed to be running on by looking at the /etc/sysconfig/selinux file. The file will have a section that shows you whether SELinux is in permissive mode, enforcement mode, or disabled, and what policy is supposed to be loaded.
SELinux tagging and typing
Type application and tagging are the most important concepts for SELinux
. SELinux works like a tagging system, which means that all files, processes, and ports on a system have an SELinux tag associated with them.
Labels are a logical way to group things together. The kernel manages the tags during boot.
Tags are formatted as user:role:type:level (level is optional). User, role, and tier are used in more advanced implementations of SELinux, such as with MLS. The type of label is the most important for the specific policy.
SELinux uses type enforcement to enforce a policy defined in the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file tagged with a certain type.
Enabling
SELinux If SELinux has been disabled in your environment, you can enable SElinux by editing /etc/selinux/config and setting SELINUX=permissive. Since SELinux wasn’t currently enabled, you don’t want to configure it to apply immediately because the system is likely to have mislabeled things that can prevent the system from booting.
You can force the system to automatically change the file system label by creating an empty file named .autorelabel in the root directory, and then rebooting. If the system has too many errors, you must restart while in permissive mode for the boot to succeed. After everything has been relabeled, configure SELinux to be applied with /etc/selinux/config and reboot, or run setenforce 1.
If a system administrator is less familiar with the command line, there are graphical tools available that can be used to administer SELinux. SELinux
provides an additional layer of security for your system that is built into Linux distributions. It should remain powered on so that you can protect your system if it is ever compromised.