Introduction to SELinux (100th Post!)
SELinux stands for Security Enhanced Linux and was developed, in part, by the NSA. Eventually, SELinux was released under open-source license and has made it's way into a number of Linux distributions.
A lot of Linux users' knowledge of SELinux stops at knowing how to turn it off. While probably fine for a personal desktop or laptop, if your goal is to manage Linux in a commercial environment, you'll want to know how to manage it.
Traditional Linux security has always had what's referred to as Discretionary Access Control (DAC) system and is made up of 3 parts: User, Group, and Other. Each of these parts can have Read, Write, and/or Execute permissions for a files and directories. With this, Users and applications running in Linux may grant insecure permissions to other users and/or other applications. For example, a normal user account has the ability to set global read permissions on anything in that user's home dir, such as the .ssh dir, which is the default location for SSH keys. Or, since processes started by the user inherit that user's rights, a process like Thunderbird (an email client) could modify mail files so that they are globally readable. Put more simply, root or users with sudo access, by default, can do whatever they'd like on a system. What if one of those accounts gets hacked?
This is where SELinux comes in. Built to work in addition to the DAC described above, SELinux is a Mandatory Access Control (MAC) system. Since SELinux is built into the kernel (the core that everything is built on top of), specific applications such as Apache, MySQL or any of the GNU tools don't need to be modified in order for SELinux to work. SELinux has 3 modes of operation.
A lot of Linux users' knowledge of SELinux stops at knowing how to turn it off. While probably fine for a personal desktop or laptop, if your goal is to manage Linux in a commercial environment, you'll want to know how to manage it.
Traditional Linux security has always had what's referred to as Discretionary Access Control (DAC) system and is made up of 3 parts: User, Group, and Other. Each of these parts can have Read, Write, and/or Execute permissions for a files and directories. With this, Users and applications running in Linux may grant insecure permissions to other users and/or other applications. For example, a normal user account has the ability to set global read permissions on anything in that user's home dir, such as the .ssh dir, which is the default location for SSH keys. Or, since processes started by the user inherit that user's rights, a process like Thunderbird (an email client) could modify mail files so that they are globally readable. Put more simply, root or users with sudo access, by default, can do whatever they'd like on a system. What if one of those accounts gets hacked?
This is where SELinux comes in. Built to work in addition to the DAC described above, SELinux is a Mandatory Access Control (MAC) system. Since SELinux is built into the kernel (the core that everything is built on top of), specific applications such as Apache, MySQL or any of the GNU tools don't need to be modified in order for SELinux to work. SELinux has 3 modes of operation.
- Enforcing - This is the default setting. It's on, logging and any configured security policies will be enforced.
- Permissive - This means it's on and logging but isn't enforcing security policies.
- Disabled - Turned off.
To see a quick view of what SELinux is currently set to on your system, use the following command:
sestatus
You can use the command below to temporarily set SELinux to either Enforcing or Permissive.
getenforce
If you want to disable SELinux altogether permanently (well, reboot-persistent, rather),You can modify the 'SELINUX=' line in the /etc/selinux/config file for either 'enforcing', 'permissive', or 'disabled'.
SELinux abides by the idea of least-privilidge, so out of the box, nearly all actions will result in an access-denied, which is why a lot of people outside of enterprise environments simply turn it off. SELinux is designed so that security policies can be interchangable. A policy for SELinux can have what are referred to as targets, which confines specific system processes. For example, you may have an SELinux policy that only has HTTPD, NAMED, DHCPD and MYSQLD targeted. This means that the all of the processes run by these daemons are enforced by SELinux.
SELinux has 4 access-control methods for targeted policies:
- Type Enforcement (TE) - This allows SELinux to make security decisions based on what type of object requests the permissions. This could be a regular file, a directory, a process or a socket.
- Role-Based Access Control (RBAC) - RBAC is a common acronym when talking security. This assigns security permissions to objects in Linux based on what role they have, or what their job is within the server.
- Multi-Level Security (MLS) - This is almost identical to the way the US goverment classifies data. Unclassified, Confidential, Secret, and Top Secret.
- Multi-Category Security (MCS) - This is basically setting a category attribute. For example, you could say that a specific set of files and directories belongs in the Finance category. Or, that specific files and processes belong to the Development Team category.
SELinux is a relatively heavy topic in the Linux world and can seem very complex. There's a fair amount to it, but this was designed to be a simple introduction. To dive deeper, Google is your friend. Check out your vendor's documentation or the SELinux Project Wiki for more great information. I'll likely be doing my own deeper dives into specific tasks of working with SELinux. In the meantime, I hope you found this information beneficial.
(As I'm editing this to be published, I noticed that this is officially my 100th post. Due to my old job and school, I wrote a lot less last year but now that those are no longer factors, I can dedicate more time to my writing. I'm working on some material covering PHP, MySQL, Git, Powershell, Security and Networking so stay tuned..If there's anything specific you'd like to see covered.)
(As I'm editing this to be published, I noticed that this is officially my 100th post. Due to my old job and school, I wrote a lot less last year but now that those are no longer factors, I can dedicate more time to my writing. I'm working on some material covering PHP, MySQL, Git, Powershell, Security and Networking so stay tuned..If there's anything specific you'd like to see covered.)
Comments
Post a Comment