Introduction
Today we’re going to talk about SELinux – Security-Enhanced Linux. For the everyday layman, SELinux may be daunting to set up but is a good introduction to different ways to manage access control to your systems. More and more we give companies our precious data and the onus should be placed on developers to protect this data from growing cybersecurity threats. So we’re going to show you how to implement SELinux for the security-conscious developer (and talk a little on AppArmor).
Proceed with caution though – SELinux and AppArmor are MAC protocols (more on that later). And you run the risk of locking yourself out of your system. If you’re interested in learning a bit more about SELinux and MAC protocols, read the following.
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems. That allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA). As a series of patches to the Linux kernel using Linux Security Modules (LSM).
SELinux was released to the open-source community in 2000. And was integrated into the upstream Linux kernel in 2003.
How does SELinux work?
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell Security-Enhanced Linux what can or can’t be accessed, to enforce the access allowed by a policy.
When an application or process, known as a subject, requests to access an object, like a file. SELinux checks with an access vector cache (AVC). Where permissions are cache for subjects and objects.
If SELinux is unable to decide access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. A security context is applied from the SELinux policy database. Permission is then granted or denied.
If permission is denied, an “avc: denied” message will be available in /var/log.messages.
How to configure SELinux
There are several ways that you can configure SELinux to protect your system. So The most common are target policy or multi-level security (MLS).
The targeted policy is the default option and covers a range of processes, tasks, and services. MLS can be very complicated and is typically only used by government organizations.
Also, You can tell what your system is supposed to be running at by looking at the /etc/sysconfig/SELinux file. The file will have a section that shows you whether SELinux is in permissive mode, enforcing mode, or disabled, and which policy is supposed to be loaded.
SELinux labeling and type enforcement
Type enforcement and labeling are the most important concepts for Security-Enhanced Linux.
SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
Labels are in the format user:role:type:level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label type is the most important for targeted policy.
SELinux uses type enforcement to enforce a policy that is defined on the system. Type enforcement is the part of a Security-Enhanced Linux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enabling SELinux
If SELinux has been disabled in your environment, you can enable SELinux by editing /etc/SELinux/config and setting SELINUX=permissive. Since SELinux was not currently enabled, you don’t want to set it to enforcing right away because the system will likely have things mislabeled that can keep the system from booting.
You can force the system to automatically relabel the filesystem by creating an empty file named .autorelabel in the root directory and then rebooting. If the system has too many errors, you should reboot while in permissive mode for the boot to succeed. After everything has been relabeled, set Security-Enhanced Linux to enforce with /etc/SELinux/config and reboot, or run setenforce
If a sysadmin is less familiar with the command line, there are graphic tools available that can be used to manage Security-Enhanced Linux.
SELinux provides an additional layer of security for your system that is built into Linux distributions. It should remain on so that it can protect your system if it is ever compromised.
So what is SELinux and what is a MAC Model?
SELinux is a US National Security Agency project aimed at improving security in the Linux kernel (more specifically, kernel 2.6.x). You will already be familiar with Discretionary Access Control as it is the system employed by most consumer Operating Systems. File permissions are determined by the creator/user, in Linux this is the ‘Access Control List’ – think about times where you have used chmod or sudo to assign read or write permissions.
Mandatory Access Control or MAC (not to be confused with Media Access Control) is different. The operating system determines access based on a security label (access rules can be managed by a security officer- usually a single system administrator), not the user that created the file. For Linux, this system exists as Security-Enhanced Linux.
The control is taken away from the user?! Why on Earth would you want that?! Many organizations deal with sensitive data like the military or government. Within a military organization, some information is reserved for specific individuals with associated security labels (need to know, top-secret, etc;).
Discretionary access control (DAC) vs. mandatory access control (MAC)
Traditionally, Linux and UNIX systems have used DAC. Security-Enhanced Linux is an example of a MAC system for Linux.
With DAC, files and processes have owners. You can have the user own a file, a group own a file, or another, which can be anyone else. Users can change permissions on their files.
The root user has full access control with a DAC system. If you have root access, then you can access any other user’s files or do whatever you want on the system.
But on MAC systems like Security-Enhanced Linux, there is an administratively set policy around access. Even if the DAC settings on your home directory are changed, an SELinux policy in place to prevent another user or process from accessing the directory will keep the system safe.
SELinux policies let you be specific and cover a large number of processes. You can make changes with Security-Enhanced Linux to limit access between users, files, directories, and more.
How to handle SELinux errors
When you get an error in SELinux there is something that needs to be addressed. It is likely 1 of these 4 common problems:
- The labels are wrong. If your labeling is incorrect you can use the tools to fix the labels.
- A policy needs to be fixed. This could mean that you need to inform SELinux about a change you’ve made, or you might need to adjust a policy. You can fix it using booleans or policy modules.
- There is a bug in the policy. It could be that a bug exists in the policy that needs to be addressed.
- The system has been broken into. Although Security-Enhanced Linux can protect your systems in many scenarios, the possibility for a system to be compromised still exists. If you suspect that this is the case, take action immediately.
Conclusion
Therefore in this article, we talked about What is SELinux and Everything about it and we hope you enjoy it.