Sunday, 1 November 2015

What is SELinux

SELinux
       SELinux (Security Enhanced Linux) is a Mandatory Access Control system built on Linux's LSM (Linux Security Modules) interface. In practice, the kernel queries SELinux before each system call to know whether the process is authorized to do the given operation.
       SELinux uses a set of rules — collectively known as a policy — to authorize or forbid operations. Those rules are difficult to create. Fortunately, two standard policies (targeted and strict) are provided to avoid the bulk of the configuration work.


Policies
       Policy - A set of declarations and rules, telling the SELinux core in the kernel what is permitted and how to behave in different situations

  • Targeted policy - A policy based upon the paradigm, that only a few selected applications should be restricted by SELinux. All other activity relies on good old UNIX security
  • Strict policy - A policy which attempts to control all activity with SELinux


Do I have SELinux?
       If you have a /selinux directory with something in it, SELinux is loaded in the kernel. Also try the sestatus command:
$ sestatus | grep -i mode
Current mode:                   enforcing
Mode from config file:          enforcing
Note: SELinux is enabled and in enforcing mode.


What SELinux is actually doing?
       SELinux is loaded in the kernel and performs three ongoing tasks, based upon the rules loaded from user space (i.e. the Policy):

  • Grant or deny access permission to processes requesting to perform action on objects
  • Grant or deny permission for context changes of objects and processes.
  • Decide what context to give to new objects and processes at their creation.

SELinux permissions are given on top of classic UNIX permissions. An action will take place only if both permissions are granted.

Enabling or Disabling Enforcement
       You can enable and disable SELinux enforcement at runtime or configure it to start in the correct mode at boot time, using the command line or GUI. SELinux can operate in one of three modes:

  • Disabled: meaning not enabled in the kernel.
  • Permissive: meaning SELinux is running and logging but not controlling permissions.
  • Enforcing: meaning SELinux is running and enforcing policy.

Use the setenforce command to change between permissive and enforcing modes at runtime. Use setenforce 0 to enter permissive mode; use setenforce 1 to enter enforcing mode.
$ setenforce 1

SELinux configurations from GUI
       You can configure all of these settings using system-config-selinux. The same configuration files are used, so changes appear bidirectionally. Use the following procedure to change a runtime boolean using the GUI.
Note: Administrator privileges are required to perform this procedure.

  • On the System menu, point to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box.
  • Click the SELinux tab, and then click Modify SELinux Policy.
  • In the selection list, click the arrow next to the Name Service entry, and select the Disable SELinux protection for named daemon check box.
  • Click OK to apply the change. Note that it may take a short time for the policy to be reloaded.


No comments:

Post a Comment