Table of contents of the article:
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have greater control over who can access the system. It was originally developed by the US National Security Agency (NSA) as a patch series for the Linux kernel using Linux Security Modules (LSM).
SELinux, short for Security-Enhanced Linux , consists of a series of security patches for the Linux kernel that enforce access controls for various services and applications. Based on projects originally developed by the National Security Agency, SELinux has quickly become a staple in the realm of open source cybersecurity. SELinux improves the security of the Linux system by limiting privileges and reducing the overall damage that a given application can cause to the entire system. Before discussing how SELinux works, it is important to explore the concept of fairness.
Fairness is a term used in computer science to describe how a given program behaves faithfully with respect to the expected results based on the specifications of the system. For example, an application designed to open an image file can be said to have a high level of fairness if it opens the image file correctly as expected. This concept can be widely applied to any program, application or function used in a computer system.
In a system without SELinux, the security of the system depends on the correctness of the kernel as well as on the correctness of any privileged applications and their respective configurations. If there are faults within these areas, the entire system can be compromised. For this reason, it is not recommended to have a Linux kernel without any kind of security module, especially for devices connected to the Internet.
By comparison, SELinux systems depend on both the correctness of the kernel and the correctness of the security policy configuration. This ensures that although correctness or configuration errors can cause a compromised application, the entire system will not be affected and other applications can continue to function normally. Essentially, SELinux provides a compartmentalized security policy that prevents the spread of compromised applications and other security vulnerabilities.
SELinux was released to the open source community in 2000 and was integrated into the upstream Linux kernel in 2003.
How does SELinux work?
For SELinux to work, the system must first assign labels, also known as context to various functions. Users and processes are assigned a text string, consisting of a username, role, and domain. Typically, the domain name is the only part that is used to determine access controls. Files, network ports, and hardware also have context within SELinux and are assigned a name, role, and type.
The process of mapping files into a security context is called tagging and is defined by the policy file used. A policy file consists of three files: a mapping file, a rules file, and an interface file. These three files must be compiled into a single policy file with the SELinux toolset, then loaded into the system kernel to make it an active policy. The creation of the policy files can be done manually or with the SELinux management tool. Once the policy file has been loaded into the system kernel, you can rest assured that your system has been protected.
By default, SELinux is preconfigured on most modern Linux operating systems such as Ubuntu, Debian or CentOS. This means that most of the time users are not even aware that SELinux is working behind the scenes to protect their system. In summary, SELinux's reliable and discreet nature makes it an essential part of any modern Linux system.
SELinux defines access controls for applications, processes and files on a system. It uses security policies, which are a set of rules that tell SELinux what it can and cannot access, to enforce the access allowed by a policy.
When an application or process, known as a subject, makes a request to access an object, such as a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.
If SELinux is unable to make an access decision based on the cached permissions, it sends the request to the security server. The security server checks the security context of the app or process and the file. The security context is enforced by the SELinux policy database. The authorization is then granted or denied.
If the permission is denied, an “avc: denied” message will be available in /var/log.messages.
How to configure SELinux
There are several ways you can configure SELinux to protect your system. The most common are targeted policies or multilevel security (MLS).
Targeted policy is the default option and covers a range of processes, activities and services. MLS can be very complicated and is typically only used by government organizations.
You can tell what your system should be running at by looking at the / etc / sysconfig / selinux file. The file will have a section showing whether SELinux is in permissive mode, enforced or disabled mode and which policy should be loaded.
SELinux Labeling and Type Enforcing
Type enforcement and labeling are the most important concepts for SELinux.
SELinux works as a labeling system, which means that all files, processes and ports in a system have an associated SELinux label. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
The labels are in the format user: role: type: level (the level is optional). User, role, and level are used in more advanced SELinux implementations, such as with MLS. The type of etiquette is the most important for the targeted policy.
SELinux uses type enforcement to enforce a defined policy on the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enable SELinux
If SELinux has been disabled in your environment, you can enable SElinux by editing / etc / selinux / config and setting SELINUX = permissive. Since SELinux was not currently enabled, you do not want to immediately set it to enforcing as it is likely that your system has mislabeled items that can prevent your system from booting.
You can force the system to automatically relabel the filesystem by creating an empty file named .autorelabel in the root directory and then rebooting. If the system has too many errors, a reboot in permissive mode is required for the boot to be successful. After everything has been relabeled, set SELinux to enforcing with / etc / selinux / config and reboot, or run setenforce 1.
If a system administrator is less familiar with the command line, there are graphical tools available that can be used to manage SELinux.
SELinux provides an extra layer of security for your system embedded in Linux distributions. It should stay on so that you can protect your system in case of a compromise.
Discretionary Access Control (DAC) and Mandatory Access Control (MAC)
Traditionally, Linux and UNIX systems have used DACs. SELinux is an example of a MAC system for Linux.
With DAC, files and processes have owners. You can make the user own a file, a group own a file, or whatever, which can be anyone else. Users have the ability to change permissions on their files.
The root user has full access control with a DAC system. If you have root access, you can access any other user's files or do whatever you want on the system.
But on MAC systems like SELinux, there is an administratively established access policy. Even if the DAC settings on your home directory are changed, a SELinux policy in place to prevent another user or process from accessing the directory will keep the system safe.
SELinux policies allow you to be specific and cover a large number of processes. Changes can be made with SELinux to restrict access between users, files, directories, and more.
How to handle SELinux errors
When you get an error in SELinux there is something that needs to be fixed. Chances are 1 of these 4 common problems:
- The labels are wrong. If the labeling is incorrect, you can use the tools to correct the labels.
- A policy must be established. This could mean that you need to notify SELinux of a change you have made or you may need to change a policy. You can solve it using booleans or criteria modules.
- There is a bug in politics. There may be a bug in the policy that needs to be addressed.
- The system was hacked. Although SELinux can protect your systems in many scenarios, there is still a possibility of a system being compromised. If you suspect this is the case, take action immediately.
What are Booleans?
Booleans are enable / disable settings for functions in SELinux. There are hundreds of settings that can turn SELinux features on or off, and many are already predefined. You can find out which booleans have already been set on your system by running getsebool -a.
