Getting started with SELinux

It is almost certain that everyone has heard of SELinux (more accurately, tried to disable it), and even some past experiences have caused you to be biased against SELinux. However, with the increasing 0-day security vulnerability, it may be time to find out the eight-year-old Mandatory Access Control System (MAC) in the Linux kernel.

SELinux and Mandatory Access Control System

SELinux, short for Security Enhanced Linux (Security Enhanced Linux), is an implementation of Mandatory Access Control (Mandatory Access Control System, the purpose is to explicitly specify the resources (files, network ports, etc.) that a process can access ).

The purpose of the mandatory access control system is to enhance the system's ability to defend against 0-Day attacks (Attacks implemented by exploiting undisclosed vulnerabilities. Therefore, it is not a substitute for the network firewall or ACL, and is not used repeatedly.

For example, Apache on the system is found to have a vulnerability that allows a remote user to access sensitive files on the system (such/etc/passwdTo obtain the existing users of the system), but the Apache update Patch for fixing this security vulnerability has not been released. In this case, SELinux can mitigate the vulnerability. Because/etc/passwd does not have the Apache access tag, Apache/etc/passwdWill be blocked by SELinux.

Compared with other mandatory access control systems, SELinux has the following advantages:

• The control policy is queryable rather than invisible to the program.
• You can hot change the policy without restarting or stopping the service.
• The policy can be used to control process initialization, inheritance, and program execution.
• The control scope covers the file system, directory, file, file start descriptor, port, message interface, and network interface.

So what is the impact of SELinux on the system? According to the horizontal comparison made by Phoronix using Fedora 11 in 2009, enabling SELinux only reduces system performance by about 5% in a few cases.

Does SELinux affect general desktop application and program development? Originally, SELinux policies mainly target the server environment. However, with the extensive application of SELinux over the past eight years, the current SELinux policy can still meet the security and convenience requirements in general desktop and program development environments. Taking the just-released Fedora 15 as an example, the author builds a complete entertainment environment (including multiple third-party native Linux games and Wine games) and development environment (Android SDK + Eclipse, the default SELinux policy is blocked only when the Wine program runs for the first time. With the help of the graphic "SELinux troubleshooting program", click the button to solve the problem.

1 2 3 Next Page