SELinux, a useful security mechanism

SELinux

Security-Enhanced Linux (SELinux) is a security mechanism implemented in the kernel and it provides Mandatory Access Control (MAC). The significance of SELinux lies in the fact that in its absence only traditional discretionary access control (DAC) methods like setting file permissions can only be used to set file access privileges among various users. In DAC it is easy to set access privileges and the Operating System will make the decision based on the access privileges that you have set for them. In MAC, the system decides, which subject can access specific data objects. It limits full privileges against those that are required to work and eliminates possible damages, which can occur during chances of getting compromised. This is particularly useful for those processes, which have the potential to get compromised, like in web servers. As SELinux is implemented within the kernel itself, no other individual applications are required to enable this security in the system.

CONTEXT

SELinux Context is the term that is used to describe the information that determines whether access to a file is allowed or not. The context represents user, type, role and range. Context can be viewed by the command ls -Z.

MODES

Enforcing, Permissive and Disabled are the three operating modes of SELinux. When SELinux- system runs with SELinux in enforcing mode, it means that SELinux policy is in effect and things that it doesn’t want to allow will not be allowed. When SELinux policy is enforced in the system, it denies access based on the policy rules that are set for them. In Permissive mode, this policy is not enforced and hence the access is not denied. The purpose of setting permissive SELinux policies is to allow a system to run with SELinux enabled while allowing all accesses that the applications are trying to do. But in the permissive mode the logs of accesses that would have been denied by set policies are kept audited. Denial messages are logged as AVC (Access Vector Cache).The Disabled mode completely disables SELinux policies and the system runs without this security feature. The /etc/selinux/config is the configuration file for SELinux. /etc/sysconfig/selinux file can be modified to change the default SELinux mode at boot time. In command line getenforce and setenforce can be used to change the operating modes. getenforce command can be used to view the current status of SELinux while setenforce command can be used with options 0 and 1 to set permissive and enforcing modes respectively. But these changes do not persist over system reboots.

BOOLEANS

An SELinux boolean is a single string that changes the way SELinux reacts. It can be used to obtain the functionality we need. getsebool command lists all booleans along with their current value. When you would toggle a boolean, it changes the active policy rules on a system. We can change SELinux booleans by using setsebool command along with which we can set the boolean on or off. The togglesebool command flips the current value set for a boolean. All these changes will be lost when SELinux policy is reloaded or when the system is rebooted. Persistent boolean changes can be made by adding -P option to the command setsebool. This command may take some time to get executed but the policy will be rebuilt and the requested value will be registered even after the system is rebooted. The command semanage boolean -l gives the entire list of booleans along with the description of what these booleans do and whether they are on or off.

SELinux sets limits on who gets access to what. It constraints the access of data, based on the rules that you configure for them. It is a far-reaching security enhancement, which we now require dealing with the complexity in managing our systems. Instead of waiting for any vulnerability to be discovered and then taken care, it is always better to protect our system services by defining clearly the limited ways in which they can be used.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *