Selinux – Technote

Introduction

Security Enhanced Linux or SELinux is an advanced access control mechanism built into most modern Linux distributions. It was initially developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. Over time, SELinux was released in the public domain and various distributions have since incorporated it in their code.

Security Enhanced Linux (SELinux) is a series of kernel patches and utilities that enforce role-based security on your system using security profiles and policies that prevent applications from being used to access resources and system components in insecure ways. Although it is enabled by default on Fedora 20 and CentOS 7, it is normally disabled on most Linux systems following installation.

Why SELinux

Before we begin, let’s understand a few concepts.

SELinux implements what’s known as MAC (Mandatory Access Control). This is implemented on top of what’s already present in every Linux distribution, the DAC (Discretionary Access Control).

To understand DAC, let’s first consider how traditional Linux file security works.

In a traditional security model, we have three entities: User, Group, and Other (u,g,o) who can have a combination of Read, Write, and Execute (r,w,x) permissions on a file or directory.

SELinux security decisions come into play after DAC security has been evaluated.

Configuration:

To enable SELinux, you can edit the /etc/selinux/config file and set one of the following SELINUX options:

• SELINUX = enforcing (policy settings are enforced by SELinux)
• SELINUX = permissive (SELinux generates warnings only and logs events)
• SELINUX = disabled (SELinux is disabled)

Next, you can select an SELINUX policy by configuring one of the following SELINUXTYPE options within the /etc/selinux/config file:

• SELINUXTYPE = targeted (only targeted network daemons are protected)
• SELINUXTYPE = strict (all daemons are protected)

Most Linux systems that use SELinux have definitions for the targeted policy that protect the system from malicious applications that can damage system files or compromise security. After modifying the /etc/selinux/config file to enable SELinux, you must reboot to relabel the system for the changes to take effect. Once enabled, you can modify the SELinux-targeted policy settings by modifying the files within the /etc/selinux/targeted directory.

Note: Any important files on the filesystem that are monitored or managed by SELinux have a period (.) appended to their mode.

Reference

SElinux in CentOS: https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts