SELinux (Security-Enhanced Linux) is a kernel security module used to support access control policies. Particularly, SELinux enforces Mandatory Access Controls (MAC). This is diffierent from the traditional Discretionary Access Control (DAC) model.
In itself, SELinux can be in one of three states: disabled, permissinve, or enforcing.
| State | Description |
|---|---|
disabled | No policy enforcing or logging |
permissive | No enforcement, but logs policy violations |
enforcing | Applies enforcement policies and blocks unauthorized actions |
To change the state of SELinux, modify /etc/selinux/config. We can also check the operating mode with getenforce, or set a specific operating mode without system reboots (and therefore temporarily) with `setenforce [0 | 1]`.1 |
File Security context
SELinux keeps track of context for files and directories, which can be seen with ls -Z. restorecon is a command to restore the context to the default policy, while chcon is used to change a file context when necessary.
ls -Z works by appending columns with context labels, such as SELinux user, role, type, and level.
The type is the most important part here, since it controls the policies that will be applied by SELinux.
System-wide config
getsebool is used to check the boolean status of various SELinux policies. We can set these booleans with setsebool.
Note
The booleans with SELinux are
onandoff.
semanage are used to manage the policies with a lot more granularity; it allows us to add file labels, port contexts, etc.
Mandatory Access Controls (MAC)
Quote
Simply and succinctly, SELinux enforces Mandatory Access Controls (MACs) on Linux. In contrast to SELinux, the traditional user/group/rwx permissions are a form of Discretionary Access Control (DAC). MACs are different from DACs because security policy and its execution are completely separated.
An example would be the use of the sudo command. When DACs are enforced, sudo allows temporary privilege escalation to root, giving the process so spawned unrestricted systemwide access. However, when using MACs, if the security administrator deems the process to have access only to a certain set of files, then no matter what the kind of privilege escalation used, unless the security policy itself is changed, the process will remain constrained to simply that set of files. So if sudo is tried on a machine with SELinux running in order for a process to gain access to files its policy does not allow, it will fail.
Another set of examples are the traditional (-rwxr-xr-x) type permissions given to files. When under DAC, these are user-modifiable. However, under MAC, a security administrator can choose to freeze the permissions of a certain file by which it would become impossible for any user to change these permissions until the policy regarding that file is changed.
Footnotes
-
Note that
setenforceonly allows settingpermissive(with0) orenforcing(with1). Disabling SELinux must be done via the config file. ↩