Introduction to SELinux

Guide

If you have disabled or ignored SELinux in your previous Linux career, this article is written specifically for you: This is an introduction to the SELinux system that exists on your Linux desktop or server, and it can restrict permissions, Even eliminate the vulnerability of the program or daemon process and the likelihood of damage.

Back in the kernel 2.6 era, a new security system was introduced to provide a mechanism for access control security policies. This system is security enhanced Linux (SELinux), which is contributed by the U.S. National Security Agency (NSA), which introduces a robust force control access to the mandatory access control architecture for the Linux kernel subsystem.

Before I start, you should have known that SELinux is primarily a tool on Red Hat Linux and its derivative distributions. Similarly, Ubuntu and SUSE (and their derivative distributions) use AppArmor. There is a significant difference between SELinux and AppArmor. You can install SELinux on the Suse,opensuse,ubuntu, and so on, but it's an incredible challenge, unless you're very proficient in Linux and say so much, let me introduce you to SELinux.

DAC vs. MAC

The traditional access control standard on Linux is the autonomous Access control (DAC) discretionary. In this form, a software or daemon runs as the user ID (UID) or set owner User ID (SUID) and has the target (file, socket, and other process) permissions for that person. This makes it easy for malicious code to run under specific permissions to gain access to critical subsystems.

On the other hand, mandatory access control mandatory access controls (MAC) based on confidentiality and integrity to enforce the isolation of information to limit corruption. This restriction unit operates independently of the traditional Linux security mechanism and does not have the concept of superuser.

How SELinux works

Consider the relevant concepts of SELinux:

• Main subjects
• Target objects
• Strategy Policy
• Pattern mode

When a principal subject (such as a program) attempts to access a target object (such as a file), the SELinux Secure Server SELinux Security servers (in the kernel) runs a check from the policy database. Based on the current pattern mode, if the SELinux Secure Server grants permissions, the principal can access the target. If the SELinux security server denies permissions, a deny message is logged in the/var/log/messages.

It sounds relatively simple, doesn't it? The process is actually more complex, but in order to simplify the introduction, only important steps are listed.

Mode

SELinux has three modes (can be set by the user). These patterns will specify how SELinux should respond to the principal request. These patterns are:

• Enforcing force-selinux policy enforcement, grant or deny principal access to a target based on SELinux policy rules
• Permissive tolerant-selinux policy does not enforce, does not actually deny access, but there will be a denial of information to write to the log
• Disabled Disable-completely disable SELinux

(The Getenforce command shows that the status of SELinux is enforcing enabled)

By default, the SELinux for most systems is set to enforcing. How do you know what mode your system is currently in? You can use a simple command to see that this command is Getenforce. This command is incredibly simple to use (because it is only used to report the SELinux mode). To use this tool, open a terminal window and execute the getenforce command. The command returns enforcing, Permissive, or disabled (see).

Setting the SELinux mode is actually simple--depending on what mode you want to set. Remember: It is never recommended to turn off SELinux. Why? When you do this, the possibility is that the files on your disk may be tagged with the wrong permissions and require you to re-tag permissions to fix them. And you cannot modify the mode of a system that starts in Disabled mode. Your best model is enforcing or permissive.

You can change the SELinux mode from the command line or from the/etc/selinux/config file. To set the mode from the command line, you can use the Setenforce tool. To set the enforcing mode, do this as follows:

1. Open a terminal window
2. Execute Su and enter your administrator password
3. Execution Setenforce 1
4. Execute getenforce OK mode is set correctly (e.g.)

To set the mode to permissive, do this:
1. Open a terminal window
2. Execute Su and enter your administrator password
3. Execution Setenforce 0
4. Execute getenforce OK mode is set correctly (e.g.)

Note: Setting the mode through the command line overrides the settings in the SELinux configuration file.
If you prefer to set the schema in the selinux command file, open that file with your favorite editor to find this line:

Selinux=permissive

You can set the mode according to your preference and then save the file.
There is a third way to modify the SELinux mode (via bootloader), but I do not recommend that new users do so.

Policy Type

There are two types of selinux policies:
Targeted target-only target network processes (Dhcpd,httpd,named,nscd,ntpd,portmap,snmpd,squid, and syslogd) are protected
Strict strict-full selinux protection for all processes
You can modify the policy type in the/etc/selinux/config file. Open this file with your favorite editor to find this line:

selinuxtype=targeted

Modify this option to targeted or strict to suit your needs.

Check the full selinux status

There is a handy selinux tool that you might want to use to get a detailed status report of your system with SELinux enabled. This command runs in the terminal like this:

Sestatus-v

You can see the output like this.

It's just fur .

As you'd expect, I've only introduced a little bit of SELinux's fur. SELinux is indeed a complex system that wants a more solid understanding of how it works, and how to make it better for your desktop or server work needs more in-depth learning. My content has not been overwritten to troubleshooters and create a custom selinux policy.

SELinux is a powerful tool that all Linux administrators should know about. Now that I have introduced you to SELinux, I highly recommend that you go back to linux.com (when there are more articles on this topic) or see the NSA selinux documentation for a more in-depth guide.

Introduction to SELinux