SELinux

From LQWiki
Jump to: navigation, search

SELinux, or Security Enhanced Linux, is an implementation of the linux kernel intended to provide finer-grained access controls to system functionality. Originally designed to improve the security of the Flask operating system, SELinux confines users to the minimum amount of privileges needed to get a job done.

Implementation

SELinux uses mandatory access control (MAC) instead of the much simpler discretionary access control (DAC) which used to be default for Linux. MAC is performed using role-based access control.

A role may be performed by a subject (user, program or process). In the execution of such role-based action the subject needs specific control access rights to access, create, delete, modify or control objects (files, directories, database tables etc.). Objects are assigned requirements while subjects are granted permissions. Only when requirements meet the permissions the OS will allow a role to be executed.

A set of securityrules is called a policy. SELinux policies can act in one of three ways

  • enforced, effectively blocking any operation that does not conform to the policy in use
  • permissive, any non-conforming action will result in warning and be logged but not prevented.
  • disabled, SELinux will be disabled altogether.

Fedora

Using Fedora all SELinux configuration is found in /etc/selinux. Configuration may be handled using the Red Hat/Fedora utility system-config-securitylevel

Apart from the SELinux status (enforced/permissive) it is possible to limit the scope of the policy by setting SELUXTYPE=targeted in /etc/selinux. When set to strict instead of targeted any action will be guarded by SELinux instead of only a limited networking subset.

related files/commands

  • star backup utility enabled for backup of SELinux security attributes

External Links