In the coming weeks, we at the Linux Academy blog will be exploring SELinux — or Security Enhanced Linux. SELinux provides users fine-grain control over access and permissions on their Linux servers and workstations. Today, we will explore the implications of using SELinux, before diving into SELinux policies and command line options in part two.
SELinux is a kernel module written by the NSA and Red Hat that grants system owners extended access control, allowing for a greater permissions profile to constrain users and applications from accessing resources. Beyond the traditional “read, write, execute” permissions on a basic Linux system, SELinux grants administrators the ability to restrict linking, moving and appending files and more. Additionally, access control is defined using policies, which average users cannot alter either purposely or accidentally.
At the most basic level, SELinux parses the operating system into two categories, subjects and objects. Subjects are processes and other “active” items, such as users and applications. Subjects can be trusted or untrusted. Objects, in contrast, are files, sockets, pipes, interfaces and other more static entities within the system. These objects are assigned a security context with regards to who can use them and how they can be used.
Using a type enforcement model, SELinux gives every part of the operating system — from users to files to TCP ports — a label, which defines which policies affects the file or applications and provides a context for use. SELinux automatically assigns labels to the system, but the administrator can alter these as needed, and policy is written around these labels versus the individual files. Additionally, SELinux allows for the creation of roles to use in role-based access control, wherein users can be associated with one or more roles and given access to one or more domain types as per the permissions granted for each assigned role. This, collectively, encourages users to take a path of “least privilege,” starting by denying all access and filtering in the appropriate users, files and applications based on the provided context.
SELinux is available on a number of Linux distributions, including Red Hat, Fedora, Hardened Ubuntu, Gentoo, Debian and others; although, it is not inherently enabled on all base versions of the listed distributions. For example, while Debian supports SELinux, default installs of Debian have SELinux turned off.
To see if SELinux is running on your system use the
getenforce command, which returns one of three possible SELinux modes: Enforcing, disabled and permissive. Enforcing means that SELinux is enabled and actively enforcing policy, whereas disabled means SELinux is not running at all. Permissive tracks the systems and provides warnings and logs related to policy, but does not enforce that policy. You may be surprised to learn that you have been using SELinux all along without knowing!
Now armed with a basic understanding of SELinux concepts, return next week to explore in-depth SELinux policy use.