Getting started with SELinux
Back in the era of Kernel 2.6, a new security system was introduced to provide access control security policies. This system is Security Enhanced Linux (SELinux), contributed by the US National Security Agency (NSA). It introduces a robust Mandatory Access Control (Mandatory Access Control) for the Linux kernel subsystem) architecture.
If you disabled or ignored SELinux in your previous Linux career, this article is specifically for you: this is an introduction to the SELinux system that exists under your Linux desktop or server. It can restrict permissions and even eliminate the possibility of damage caused by vulnerabilities of programs or daemon.
Before I start, you should know that SELinux is mainly a Red Hat Linux and a tool on its derivative release. Similarly, Ubuntu and SUSE (and their derivative releases) Use AppArmor. SELinux is significantly different from AppArmor. You can install SELinux on SUSE, openSUSE, Ubuntu, and other releases, but this is an incredible challenge unless you are very proficient in Linux.
If so, let me introduce SELinux to you.
DAC vs. MAC
In Linux, the traditional Access Control standard is independent Access Control (DAC ). In this form, a software or daemon runs as a User ID (UID) or Set owner User ID (SUID, the user has the target (file, socket, and other processes) permissions. This makes it easy for malicious code to run under specific permissions, so as to gain access to key subsystems.
On the other hand, Mandatory Access Control (MAC) is isolated based on Mandatory information of confidentiality and integrity to restrict damages. The restricted unit operates independently of the traditional Linux security mechanism and does not have the concept of a Super User.
How SELinux works
Consider the related concepts of SELinux:
- Subject (Subjects)
- Target (Objects)
- Policy)
- Mode)
When a Subject (such as a program) tries to access a target (such as a file), SELinux Security Server (in the kernel) run a check in the Policy Database. Based on the current mode, if The SELinux security server grants permissions, the subject can access the target. If the SELinux security server rejects the permission, a denial message is recorded in/var/log/messages.
It sounds relatively simple, isn't it? In fact, the process is more complex, but to simplify the introduction, only the important steps are listed.
Mode
SELinux has three modes (which can be set by the user ). These modes determine how SELinux responds to a request. These modes are:
- Enforcing (Force)-The SELinux policy is enforced to grant or deny access to the subject based on The SELinux policy rules
- Permissive (tolerance)-The SELinux policy is not enforced and access is not actually denied, but some information will be written into logs.
- Disabled (Disabled)-completely disable SELinux
Figure 1: The getenforce command shows that SELinux is enabled.
By default, SELinux of most systems is set to Enforcing. How do you know the current mode of your system? You can use a simple command.getenforce
. This command is incredibly simple to use (because it is only used to report the SELinux mode ). To use this tool, open a terminal window and executegetenforce
Command. The command returns Enforcing, Permissive, or Disabled (see figure 1 above ).
Setting the SELinux mode is actually very simple-depending on the mode you want to set. Remember: SELinux is never recommended to be disabled. Why? When you do this, the possibility is that the files on your disk may be tagged with wrong permissions. You need to remark the permissions to fix them. In addition, you cannot modify the mode of a system started in Disabled mode. Your best mode is Enforcing or Permissive.
You can/etc/selinux/config
File to change the SELinux mode. To set the mode from the command line, you can usesetenforce
Tool. To set the Enforcing mode, follow these steps:
- Open a terminal window
- Run
su
Enter your administrator password.
- Run
setenforce 1
- Run
getenforce
The confirmation mode has been correctly set (figure 2)
Figure 2: Set The SELinux mode to Enforcing.
To set the mode to Permissive, do the following:
- Open a terminal window
- Run
su
Enter your administrator password.
- Run
setenforce 0
- Run
getenforce
The confirmation mode has been correctly set (figure 3)
Figure 3: Set SELinux mode to Permissive.
Note: The Setting Mode in the command line overwrites the setting in The SELinux configuration file.
If you prefer to set the mode in The SELinux command file, open the file in your favorite editor and find this line:
SELINUX=permissive
You can set the mode according to your preference and save the file.
There is also a third method to modify the SELinux mode (through bootloader), but I do not recommend new users to do so.
Policy type
There are two SELinux policies:
- Targeted (target)-only target network processes (dhcpd, httpd, named, nscd, ntpd, portmap, snmpd, squid, and syslogd) are protected
- Strict-full SELinux protection for all processes
You can/etc/selinux/config
File. Open the file in your editor and find this line:
SELINUXTYPE=targeted
Modify this option to targeted or strict to meet your needs.
Check the complete SELinux status
There is a convenient SELinux tool that you may want to use to obtain detailed status reports for your system with SELinux enabled. Run this command on the terminal like this:
sestatus -v
You can see the output as shown in Figure 4.
Figure 4: output of the sestatus-v command.
Only fur
As you expected, I only introduced SELinux. SELinux is indeed a complex system. To better understand how it works and how to make it work better for your desktop or server, you need to learn more deeply. I have not covered troubleshooting and created a custom SELinux policy.
SELinux is a powerful tool that all Linux administrators should know. Now I have introduced SELinux to you. I strongly recommend that you go back to Linux.com (