SELinux Introduction: Linux kernel Security

Source: Internet
Author: User
Tags least privilege

Although SELinux has existed in the Linux kernel for nearly ten years, many administrators have left themselves alone for fear of the complexity of their configurations. Although many Linux administrators disable SELinux on their Linux servers to avoid configuration during application installation, SELinux is a very useful tool for Linux security. Next let's take a look at how it works. Use SELinux policies and access control management to protect your Linux server.

In Linux, SELinux implements the MAC security mode. After the free access control (DAC) is enabled in the standard Linux environment, the system checks the security of all operations in the Linux kernel.

Understand the Linux security model of DAC and MAC

Because SELinux is based on MAC, it is very important to understand the disadvantages of DAC (default Linux security model) and the advantages of MAC over DAC.

In MAC mode, the Administrator controls all the interactions of software in the system. With the minimal privilege, applications and users do not have any permissions by default, because as part of the system security policy, all permissions must be granted by the Administrator. In DAC mode, the file ownership belongs to the user, and the user has full control permissions on them. After hackers attack a user's account, they can do anything to the Files Owned by the user. For example, after a hacker attacks an FTP server, All Files Owned by the FTP server account are fully controlled. Even worse, if an application runs under the root account (common such as Web and FTP services), attackers will have full control over the entire operating system.

MAC mode provides a virtual "hourglass" for each application, allowing the application to execute only the tasks that are designed and explicitly allowed in the security policy. For example, the Web server may only be able to read files published by the website and listen to the port on the specified network. Even If attackers break it, they cannot execute any activities not explicitly permitted in the security policy, even if the process runs under the root user.

Standard Unix permissions will still exist in the system. When a file is accessed, the standard Unix permission takes effect before the SELinux security policy. If the standard permission is denied, the access is directly denied and SELinux is not involved in the whole process. However, if the standard permission permits access, SELinux will participate and determine whether to allow or deny access based on the security context of its source process and target object.

Definition of subject and object in SELinux

There are two important concepts in MAC security context: subject and object. The MAC (or non-Free Access Control) framework allows you to specify all processes (called the subject) and other parts of the system, such as files, devices, sockets, ports, and other processes (called objects) permission for interaction. It defines security policies for all processes and objects. These processes and objects are controlled by the kernel, and the security decision is based on all available information, not just the user's identity. In this model, a process can be granted only the permissions it needs and can play a role in. This follows the minimum permission principle, different from the DAC full permission concept.

For example, in MAC mode, you usually store your data in the main directory to protect your data. However, if you use the chmod command to modify the file permissions, your data will be exposed, at this time, the controlled process cannot access these files or try to modify the corresponding policy if it has no permission.

SELinux security policy: strict and targeted

SELinux follows the minimal privilege mode. By default, all actions are rejected. Then, we add policies for each unit (Service, program, user, process) of the system to allow them to execute specific functions. If a service, program or user attempts to access or modify a file or resource that is not required by them, the access will be denied and the system will record it to the log. Because SELinux runs in the kernel, each application does not need to make special changes to it. If SELinux blocks an operation, the application will only receive an error saying "access is denied.

Describes the workflow of SELinux's default targeting policy:

Policy is one of the most important concepts of SELinux. The "strict" policy can be illustrated in the least privilege mode. SELinux allows many different policies. In CentOS5 and RHEL, the Default policy is "targeted", and its main scope is the key system process. In RHEL, more than 200 such objects exist (including httpd, named, dhcpd, and mysqld ). In addition, other processes in the system run in a non-restricted domain and are not affected by SELinux. The goal of the targeting policy is to enable all processes installed and running by default at startup to run in the restricted domain. The "targeting" policy aims to protect the most important processes as much as possible without seriously affecting the user experience. Most users do not even feel that SELinux is running.

Another important concept is SELinux's access control. There are three types of access control: Type-enhanced (TE) access control, role-based access control (RBAC), and multi-level security (MLS) access control. In the targeting policy, TE is the primary access control mechanism.

Establish SELinux security context

One important thing to understand SELinux is that all processes and files in The SELinux model have a SELinux security context. You can simply use the "-Z" parameter to display its security context, as shown below:

Most SELinux errors are based on the security context of the object. The security context format is:

User: Role: Type: multi-level security (MLS ). The last field "multi-level security" is always hidden (which is the default field in the targeting policy ). For example, for the file hello. pl, the user is root, the role is object_r, And the type is httpd_sys_content_t. In the targeting policy, the most important field is type, which is mainly used to implement TE access control.

Similarly, you can run the "ps-Z" command in Linux to list the security context of all running processes. For example:

 
 
  1. #ps -efZ | grep mail  
  2. system_u:system_r:sendmail_t    root      2661     1  0   
  3. 12:30 ?        00:00:00 sendmail: accepting connections  
  4. system_u:system_r:sendmail_t    smmsp     2670     1  0   
  5. 12:30 ?        00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue  
  6.  

The above output shows that the sendmail process running type in my Linux server is "Sendmail_t ".


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.