Introduction to SELinux (100th Post!)

-
SELinux stands for Security Enhanced Linux and was developed, in part, by the NSA. Eventually, SELinux was released under open-source license and has made it's way into a number of Linux distributions.

A lot of Linux users' knowledge of SELinux stops at knowing how to turn it off. While probably fine for a personal desktop or laptop, if your goal is to manage Linux in a commercial environment, you'll want to know how to manage it.

Traditional Linux security has always had what's referred to as Discretionary Access Control (DAC) system and is made up of 3 parts: User, Group, and Other. Each of these parts can have Read, Write, and/or Execute permissions for a files and directories. With this, Users and applications running in Linux may grant insecure permissions to other users and/or other applications. For example, a normal user account has the ability to set global read permissions on anything in that user's home dir, such as the .ssh dir, which is the default location for SSH keys. Or, since processes started by the user inherit that user's rights, a process like Thunderbird (an email client) could modify mail files so that they are globally readable. Put more simply, root or users with sudo access, by default, can do whatever they'd like on a system. What if one of those accounts gets hacked?

This is where SELinux comes in. Built to work in addition to the DAC described above, SELinux is a Mandatory Access Control (MAC) system. Since SELinux is built into the kernel (the core that everything is built on top of), specific applications such as Apache, MySQL or any of the GNU tools don't need to be modified in order for SELinux to work. SELinux has 3 modes of operation.
  • Enforcing - This is the default setting. It's on, logging and any configured security policies will be enforced.
  • Permissive - This means it's on and logging but isn't enforcing security policies. 
  • Disabled - Turned off. 
To see a quick view of what SELinux is currently set to on your system, use the following command:

sestatus

You can use the command below to temporarily set SELinux to either Enforcing or Permissive.

getenforce

If you want to disable SELinux altogether permanently (well, reboot-persistent, rather),You can modify the 'SELINUX=' line in the /etc/selinux/config file for either 'enforcing', 'permissive', or 'disabled'.

SELinux abides by the idea of least-privilidge, so out of the box, nearly all actions will result in an access-denied, which is why a lot of people outside of enterprise environments simply turn it off. SELinux is designed so that security policies can be interchangable. A policy for SELinux can have what are referred to as targets, which confines specific system processes. For example, you may have an SELinux policy that only has HTTPD, NAMED, DHCPD and MYSQLD targeted. This means that the all of the processes run by these daemons are enforced by SELinux. 

SELinux has 4 access-control methods for targeted policies:
  • Type Enforcement (TE) - This allows SELinux to make security decisions based on what type of object requests the permissions. This could be a regular file, a directory, a process or a socket. 
  • Role-Based Access Control (RBAC) - RBAC is a common acronym when talking security. This assigns security permissions to objects in Linux based on what role they have, or what their job is within the server. 
  • Multi-Level Security (MLS) - This is almost identical to the way the US goverment classifies data. Unclassified, Confidential, Secret, and Top Secret. 
  • Multi-Category Security (MCS) - This is basically setting a category attribute. For example, you could say that a specific set of files and directories belongs in the Finance category. Or, that specific files and processes belong to the Development Team category. 
SELinux is a relatively heavy topic in the Linux world and can seem very complex. There's a fair amount to it, but this was designed to be a simple introduction. To dive deeper, Google is your friend. Check out your vendor's documentation or the SELinux Project Wiki for more great information. I'll likely be doing my own deeper dives into specific tasks of working with SELinux. In the meantime, I hope you found this information beneficial.

(As I'm editing this to be published, I noticed that this is officially my 100th post. Due to my old job and school, I wrote a lot less last year but now that those are no longer factors, I can dedicate more time to my writing. I'm working on some material covering PHP, MySQL, Git, Powershell, Security and Networking so stay tuned..If there's anything specific you'd like to see covered.)

Comments

Post a Comment

Popular posts from this blog

Installing CentOS 7 on a Raspberry Pi 3

-
Image
The Raspberry Pi is awesome. If you're like me, you bought one to tool around with for educational purposes. You can run Kodi or gaming console emulators on it or you can combine some together for a tiny OpenStack cluster. At, $50-$60, they're easy on the wallet and running off of 5v USB power makes them pretty energy efficient. Sure, it's only a 1Ghz ARM processor which limits your OS choices but I'd rather have a Pi than running an old Dell PowerEdge or HP Proliant that I bought off of Craigslist. Instead of installing the usual Raspbian OS, this guide is on installing CentOS 7. However, the process described below is relatively universal to whatever OS you want to install on your Pi.
Read more

Modifying the Zebra F-701 & F-402 pens

-
Image
I've been carrying a pen as part of my (mostly) every-day-carry, or EDC, for a couple years now. I bought the Zebra F-701 and after a few other pen purchases, the 701 is still my favorite of all. At first, I just wanted a pen that looked nice and for the moments I needed to sign something. I recall attending meetings when I worked at the university where the attendees were asked to sign-in on the attendance sheet: I tended to be the only one that didn't have a pen so I felt unprepared when I had to ask one of the other attendees if I could borrow theirs. Once I started college, I found myself using a pen much more often, so it had to be comfortable, relatively inexpensive (nice pens can cost hundreds of dollars), and still stylish enough to live in the pocket of a dress shirt.
Read more

How to fix DPM Auto-Protection failures of SQL servers

-
For longer than I care to admit, my DPM server has had the same error every night about an auto-protection failure on one of my SQL servers. I've looked into it before but never came away with anything useful until recently. I've finally found information on how to fix this annoying issue. The Advanced Information link in the error will tell you to make sure WMI is in a good state on the machine. The error itself isn't very descriptive. It'll look something like "DPM could not enumerate SQL Server instances using Windows Management Instrumentation on the protected computer $serverFQDN."
Read more