What is SELinux and DAC?
DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).
MAC: Security mechanism via SELinux
MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:
- Network ports
- Other process
SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:
- Protect users’ data from unauthorized access.
- Protect other daemons or programs from unauthorized access.
- Protect network ports / sockets / files from unauthorized access.
- Protect server against exploits.
- Avoid privilege escalation and much more.
Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as
- Implementing firewalls policy.
- Server monitoring.
- Patching the system on time.
- Writing and securing cgi/php/python/perl scripts.
I hope you understood basic concepts of SELinux. For more info see:
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
|Category||List of Unix and Linux commands|
|Firewall||Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|