What Is SELinux?

Posted on in Categories last updated December 6, 2012

What is SELinux? Why should I use SELInux on my CentOS or Red Hat Enterprise Linux server running on IBM hardware?

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

DAC: Traditional Unix / Linux security mechanism

DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).

Fig.01: Linux or Unix Server With DAC Security Model
Fig.01: Linux or Unix Server With DAC Security Model

MAC: Security mechanism via SELinux

MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

  1. Pipes
  2. Files
  3. Network ports
  4. Sockets
  5. Directories
  6. Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

  1. Protect users’ data from unauthorized access.
  2. Protect other daemons or programs from unauthorized access.
  3. Protect network ports / sockets / files from unauthorized access.
  4. Protect server against exploits.
  5. Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

  • Implementing firewalls policy.
  • Server monitoring.
  • Patching the system on time.
  • Writing and securing cgi/php/python/perl scripts.

3 comment

  1. The problem with SELinux is that while there is documentation that shows HOW to create policies, I have yet to see anything published that shows how to determine WHAT policies you need to A) make sure you don’t break any of your applications, while B) still getting some level of protection. We don’t write our own applications so we don’t “just know” what sort of access each application requires.

  2. can u plz tell me when we change enforcing mode to permissive mode or vice versa,what is the need to changing mode. default it is set on enforcing mode.when we on permissive mode what we can do.

Leave a Comment