SELinux, or Security Enhanced Linux, is an implementation of the linux kernel intended to provide finer-grained access controls to system functionality. Originally designed to improve the security of the Flask operating system, SELinux confines users to the minimum amount of privileges needed to get a job done.
SELinux uses mandatory access control (MAC) instead of the much simpler discretionary access control (DAC) which used to be default for Linux. MAC is performed using role-based access control.
A role may be performed by a subject (user, program or process). In the execution of such role-based action the subject needs specific control access rights to access, create, delete, modify or control objects (files, directories, database tables etc.). Objects are assigned requirements while subjects are granted permissions. Only when requirements meet the permissions the OS will allow a role to be executed.
A set of securityrules is called a policy. SELinux policies can act in one of three ways
- enforced, effectively blocking any operation that does not conform to the policy in use
- permissive, any non-conforming action will result in warning and be logged but not prevented.
- disabled, SELinux will be disabled altogether.
Apart from the SELinux status (enforced/permissive) it is possible to limit the scope of the policy by setting SELUXTYPE=targeted in /etc/selinux. When set to strict instead of targeted any action will be guarded by SELinux instead of only a limited networking subset.
- sestatus retrieve current SELinux status
- setenforce set enforcing of policy between enforced=1 and permissive=0
- semanage manage SELinux policies
- star backup utility enabled for backup of SELinux security attributes