Table of contents of the article:
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have greater control over who can access the system. It was originally developed by the US National Security Agency (NSA) as a patch series for the Linux kernel using Linux Security Modules (LSM).
SELinux, an acronym for Security-Enhanced Linux, represents an advanced collection of security patches developed for the Linux operating system kernel. Its main purpose is to provide hardened and specific access controls for a variety of services and applications operating within the system.
The genesis of SELinux lies in the projects initially led by United States National Security Agency. Following its release, SELinux quickly emerged as an essential and trusted element in the open source cybersecurity landscape. The main contribution of SELinux to the security of a Linux system is the implementation of a privilege limitation system. This system limits the impact that a given application can have on the overall functioning of the system, thus minimizing the overall damage that a potential security breach could cause.
Before delving into the specifics of how SELinux works, it is necessary to understand the concept of "correctness" in the context of computer science. Correctness is a term that describes how accurately a computer program produces expected results based on the system's specifications. To illustrate this concept, think of an application designed to open image files: if such an application can successfully open the image file as designed, it can be said to have a high degree of correctness. This concept can be extended to any program, application or function that operates within a computer system.
On a system that does not implement SELinux, overall security depends on the correctness of the kernel and that of any privileged applications. This means that if there are errors or failures in privileged applications or their configurations, the whole system could be put at risk. This is why it is not recommended to use a Linux kernel that lacks security modules, especially when the device is connected to the Internet.
In reverse, systems implementing SELinux rely for their security not only on the correctness of the kernel, but also on the correctness of the security policy configuration. This allows a system running SELinux to limit the effect of a compromised application, protecting the integrity of the entire system and allowing other applications to continue to function normally. In essence, SELinux implements a compartmentalized security policy, which prevents the propagation of a compromised application or other potential security vulnerabilities.
SELinux was introduced to the open source community in 2000 and was integrated directly into the Linux kernel in 2003, underscoring its importance in ensuring the security of a Linux system.
How does SELinux work?
SELinux, or Security-Enhanced Linux, is a powerful security tool that operates on the principle of assigning security labels, also called "contexts", to different elements within the operating system. These labels are assigned to functions, processes, users, files, network ports, and even hardware.
Each assigned label comprises a text string representing a username, role, and domain. Typically, the domain name portion plays the most critical role, as it is used to determine specific access controls. Similarly, files, network ports, and hardware have context assigned within SELinux, and each is given a name, role, and type.
This process of assigning security labels to files is called "tagging" and is determined by the policy file used. The policy file consists of three separate files: a mapping file, a rule file, and an interface file. These three files must be compiled into a single policy file using the SELinux toolset. This compiled policy file is then loaded into the system kernel, making the policy active.
Creating the policy file can be done manually or using a SELinux management tool. Once the policy file has been loaded into the system kernel, you can be confident that your system is adequately protected.
Most modern Linux operating systems, such as RHEL, CentOS, AlmaLinux or Rocky Linux have SELinux preconfigured. This means that, in most cases, users are not even aware that SELinux is working silently in the background to protect their system. In short, the reliable and unobtrusive nature of SELinux makes it a fundamental component of any modern Linux system.
The fundamental role of SELinux is the definition of access controls for applications, processes and files within the system. To this end, SELinux uses security policies, a set of rules that guide access to various system elements. These policies indicate what SELinux is allowed or denied.
When an application or process, referred to as a "subject", requests access to an "object" (for example, a file), SELinux checks permissions through a structure called the Access Vector Cache (AVC). ). This cache maintains permissions for subjects and objects to speed access control decisions.
How to configure SELinux
There are several ways you can configure SELinux to protect your system. The most common are targeted policies or multilevel security (MLS).
Targeted policy is the default option and covers a range of processes, activities and services. MLS can be very complicated and is typically only used by government organizations.
You can tell what your system should be running at by looking at the / etc / sysconfig / selinux file. The file will have a section showing whether SELinux is in permissive mode, enforced or disabled mode and which policy should be loaded.
SELinux Labeling and Type Enforcing
Type enforcement and labeling are the most important concepts for SELinux.
SELinux works as a labeling system, which means that all files, processes and ports in a system have an associated SELinux label. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
The labels are in the format user: role: type: level (the level is optional). User, role, and level are used in more advanced SELinux implementations, such as with MLS. The type of etiquette is the most important for the targeted policy.
SELinux uses type enforcement to enforce a defined policy on the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type.
Enable SELinux
If SELinux has been disabled in your environment, you can enable SElinux by editing / etc / selinux / config and setting SELINUX = permissive. Since SELinux was not currently enabled, you do not want to immediately set it to enforcing as it is likely that your system has mislabeled items that can prevent your system from booting.
You can force the system to automatically relabel the filesystem by creating an empty file named .autorelabel in the root directory and then rebooting. If the system has too many errors, a reboot in permissive mode is required for the boot to be successful. After everything has been relabeled, set SELinux to enforcing with / etc / selinux / config and reboot, or run setenforce 1.
If a system administrator is less familiar with the command line, there are graphical tools available that can be used to manage SELinux.
SELinux provides an extra layer of security for your system embedded in Linux distributions. It should stay on so that you can protect your system in case of a compromise.
Discretionary Access Control (DAC) and Mandatory Access Control (MAC)
Traditional Linux and UNIX systems have heavily exploited the Discretionary Access Control (DAC) model. This access control model, rooted in the concept of file ownership, gives a user who owns a file or process the ability to determine who can access their data and how. In a DAC system, users can specify rules for accessing their files, with rules allowing access to another specific user, a group of users, or any other user on the system.
The root user on a Linux system with DAC has unlimited powers, with complete control over all files and processes. Being the system administrator, the root user can access, modify or delete the files of any other user, granting the potential to alter the whole system.
SELinux, on the other hand, implements a Mandatory Access Control (MAC) model. Unlike the DAC, where users have the power to decide access policies, in the MAC, access policies are set administratively and cannot be changed by non-privileged users. Even if a user changes the DAC settings on his home directory, for example, a MAC policy such as the one enforced by SELinux can still prevent access by another user or process. In this way, SELinux maintains a high degree of security regardless of user actions.
SELinux offers much finer granularity in access control than traditional DAC systems. SELinux policies can be extremely specific, allowing administrators to restrict or allow access to specific files, directories, network ports, and more, for individual users or processes. This ability to make precise changes is critical to ensuring the security of the entire system.
How to handle SELinux errors
When you encounter an error in SELinux, it usually indicates that something in your system is not working as it should and needs to be fixed. There are four common problems that could be the cause of an error in SELinux.
- The labels are wrong: SELinux uses a system of tagging, or "labelling", to manage access controls. If the labels are incorrect, errors may occur. For example, a file may not be accessible by an application due to incorrect labeling. In this case, you can use SELinux-specific tools, such as “restorecon” or “chcon”, to fix the labels.
- A policy needs to be adjusted: SELinux policies are a set of rules that determine how processes can interact with various parts of the system. If you've made a system change that hasn't yet been incorporated into SELinux policies, an error may occur. In this case, you can resolve the error by updating your policies. You can do this by using SELinux booleans, which allow you to enable or disable certain features, or by creating a custom policy module with the "audit2allow" tool.
- There is a bug in the policy: Despite the painstaking work of the development teams, SELinux policies can occasionally be buggy. A bug in a policy could cause unexpected behavior and generate errors. In this case, you may need to report the bug to the SELinux developer community for help fixing the problem.
- The system has been compromised: Despite the effectiveness of SELinux in protecting systems, there is always the possibility that a system will be compromised. If you suspect that your system has been compromised, it's important to take immediate action. The first step should be to disconnect the system from the network to prevent further damage. Next, you should conduct a forensic investigation to determine how the breach occurred and what steps should be taken to prevent future incidents. Remember, SELinux is a powerful defense tool, but cybersecurity requires a multi-layered approach.
What are Booleans?
Booleans are a core component of SELinux and are a key feature that allows for flexible customization of system security policies. They are essentially on/off, or “on/off” controls that allow you to adjust specific features of SELinux.
These booleans allow system administrators to change the behavior of SELinux without the need to manually write or edit security policies, thereby making system administration easier and less error prone. This is particularly useful in large-scale or complex environments, where detailed policy management may be overly burdensome.
There are hundreds of booleans available in SELinux, each of which controls a specific aspect of security policies. For example, there is a boolean that controls whether Apache scripts can connect to the network, another that controls whether DHCP servers can write to configuration files, and so on. Many of these booleans are predefined to reflect security best practices.
To view the booleans currently set on your system, you can use the “getsebool -a” command. This command will return a list of all SELinux booleans and their current settings (enabled or disabled).
You can change the setting of a boolean using the "setsebool" command, followed by the name of the boolean and the desired state. These changes can be temporary (that is, valid only until the next reboot) or persistent. Change persistence can be especially important for critical security settings that need to be kept constant over time.
In short, SELinux booleans offer a powerful and flexible way to customize the security settings of your Linux system, allowing you to balance the security needs with the operational ones of your environment.
Disable SELinux
SELinux is an important security tool in the Linux world, designed to offer precise control over the activities of processes in the system. However, there are situations where an administrator might consider disabling it. These situations include cases where SELinux interferes with specific applications, complicates system administration, or if the system environment is sufficiently isolated and protected by other security measures. Remember, however, that disabling SELinux can expose your system to security risks.
To disable SELinux on Red Hat-derived operating systems such as CentOS, AlmaLinux, RockyLinux, and Oracle Linux, you need to edit the /etc/selinux/config file. You will find a line that says “SELINUX=enforcing”. Change this line to "SELINUX=disabled". After saving and exiting the file, you will need to restart your system to apply the changes.
For Debian or Ubuntu based operating systems, SELinux is generally not installed or enabled by default, but if it has been installed and needs to be disabled, you can do so by editing the /etc/selinux/config file as described above, if present. If no such file exists, SELinux may have been enabled via the GRUB bootloader, if so, you will need to remove “selinux=1” and “security=selinux” from the GRUB configuration file.
Pro:
- Greater simplicity: SELinux can be complicated to maintain and configure correctly. By disabling it, you eliminate these complexities.
- Compatibility: Some applications may not work properly with SELinux, so disabling it may fix these problems.
Against:
- Reduced Security: SELinux offers a very high level of security, so disabling it can make your system more vulnerable to various forms of attacks.
- Non-compliance: If you work in an environment that requires compliance with certain security regulations, disabling SELinux could lead to a non-compliance.
Disabling SELinux should be a last resort after trying to fix existing problems through policy tuning and using booleans. Before disabling SELinux, it is important to understand the possible security implications for your system.
Conclusion
SELinux, short for Security-Enhanced Linux, is a powerful security mechanism that has made significant improvements to the security of the Linux system, making it a staple in the open source computer security environment. Originally implemented by the National Security Agency, SELinux enforces strict access controls for a wide variety of services and applications, effectively limiting privileges and mitigating potential system damage.
Through the use of security policies, contexts, and booleans, SELinux provides granular control over access to system resources. Despite its complexity and initial learning curve, using SELinux can provide a superior level of security for Linux systems. It is important to note that while there are instances where disabling SELinux might be attempted, this should be considered as a last resort, as it significantly reduces system security.
In conclusion, SELinux is an essential tool for any system administrator concerned with security. Despite its complexity, with proper understanding and administration, SELinux can provide an effective additional layer of defense for Linux systems, significantly increasing the overall security robustness of the system. In light of today's cyberthreat landscape, tools like SELinux are proving increasingly vital to protecting our cyber infrastructures.
