What is SELinux? and Every thing about it.
Today, we’re going to talk about SELinux – Security-Enhanced Linux. SELinux may be daunting to set up for the everyday layperson, but it is a good introduction to different ways to manage access control to your systems. We increasingly give companies our precious data, and the onus should be placed on developers to protect this data from growing cybersecurity threats. So we will show you how to implement SELinux for the security-conscious developer (and talk a little on AppArmor).
Proceed cautiously, though – SELinux and AppArmor are MAC protocols (more on that later). And you run the risk of locking yourself out of your system. If you want to learn more about SELinux and MAC protocols, read the following.
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open-source community in 2000 and integrated into the upstream Linux kernel in 2003.
How does SELinux work?
SELinux defines access controls for system applications, processes, and files. It uses security policies, which are a set of rules that tell Security-Enhanced Linux what can or can’t be accessed, to enforce the access allowed by a policy.
When an application or process, known as a subject, requests to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.
If SELinux cannot decide access based on the cached permissions, it sends the request to the security server, which checks the security context of the app or process and the file. A security context is applied from the SELinux policy database. Permission is then granted or denied.
If permission is denied, an “avc: denied” message will be available in /var/log/messages.
How to configure SELinux
There are several ways to configure SELinux to protect your system. The most common are target policy or multi-level security (MLS).
The targeted policy is the default option and covers a range of processes, tasks, and services. MLS can be very complicated and is typically only used by government organizations.
Also, you can tell what your system is supposed to be running at by looking at the /etc/sysconfig/SELinux file. The file will have a section showing whether SELinux is in permissive mode, enforcing mode, or disabled, and which policy is supposed to be loaded.
SELinux labeling and type enforcement
Type enforcement and labeling are the most important concepts for Security-Enhanced Linux.
SELinux works as a labeling system, meaning that all of the files, processes, and ports in a system have an associated SELinux label. Labels are a logical way of grouping things. The kernel manages the labels during boot.
Labels are in the format user:role:type: level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label type is the most important factor in a targeted policy.
SELinux uses type enforcement to enforce a policy defined on the system. Type enforcement is part of a Security-Enhanced Linux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enabling SELinux
If SELinux has been disabled in your environment, you can enable it by editing /etc/SELinux/config and setting SELINUX=permissive. Since SELinux was not currently enabled, you don’t want to set it to enforce right away because the system will likely have things mislabeled that can keep it from booting.
You can force the system to automatically relabel the filesystem by creating an empty file named .autorelabel in the root directory and then rebooting. If the system has too many errors, you should reboot while in permissive mode for the boot to succeed. After Everything has been relabeled, set Security-Enhanced Linux to enforce with /etc/SELinux/config and reboot, or run setenforce
If a sysadmin is less familiar with the command line, graphical tools can be used to manage Security-Enhanced Linux.
SELinux provides an additional layer of security for your system built into Linux distributions. It should remain on to protect your system if it is ever compromised.
So, what is SELinux, and what is a MAC Model?
SELinux is a US National Security Agency project to improve security in the Linux kernel (specifically, kernel 2.6. x). You will already be familiar with Discretionary Access Control, as it is the system employed by most consumer Operating Systems. File permissions are determined by the creator/user. In Linux, this is the ‘Access Control List’—think about times when you have used chmod or sudo to assign read or write permissions.
Mandatory Access Control, or MAC (not to be confused with Media Access Control), is different. The operating system determines access based on a security label (access rules can be managed by a security officer, usually a single system administrator), not the user who created the file. For Linux, this system exists as Security-Enhanced Linux.
The user’s control is taken away! Why on Earth would you want that?! Many organizations, such as the military or government, deal with sensitive data. Within a military organization, some information is reserved for specific individuals with associated security labels (need to know, top-secret, etc.).
Discretionary access control (DAC) vs. mandatory access control (MAC)
Traditionally, Linux and UNIX systems have used DAC. Security-Enhanced Linux is an example of a MAC system for Linux.
With DAC, files and processes have owners. You can have the user own a file, a group own a file, or another, which can be anyone else. Users can change permissions on their files.
A DAC system has complete access control for the root user. With root access, you can access any other user’s files or do whatever you want on the system.
Howeverthere is an administrative policy around access to MAC systems like Security-Enhanced Linux on MAC systems like Security-Enhanced Linux. Even if the DAC settings on your home directory are changed, an SELinux policy to prevent another user or process from accessing the directory will keep the system safe.
SELinux policies let you be specific and cover a large number of processes. With Security-Enhanced Linux, you can make changes to limit access between users, files, directories, and more.
How to handle SELinux errors
When you get an error in SELinux, something must be addressed. It is likely 1 of these four common problems:
- The labels are wrong. If your labeling is incorrect, you can use the tools to fix the labels.
- A policy needs to be fixed. This could mean that you need to inform SELinux about a change you’ve made, or you might need to adjust a policy. You can fix it using booleans or policy modules.
- There is a bug in the policy. A bug in the policy that needs to be addressed could be a bug.
- The system has been broken into. Although Security-Enhanced Linux can protect your systems in many scenarios, the possibility of a compromised system still exists. If you suspect this, take action immediately.
Conclusion
Therefore, in this article, we discussed SELinux and Everything about Everything. Hope you enjoy it.
