What Is SELinux?

What is SELinux? Why should I use SELInux on my CentOS or Red Hat Enterprise Linux server running on IBM hardware?

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

DAC: Traditional Unix / Linux security mechanism

DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).

Fig.01: Linux or Unix Server With DAC Security Model

MAC: Security mechanism via SELinux

MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

  1. Pipes
  2. Files
  3. Network ports
  4. Sockets
  5. Directories
  6. Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

  1. Protect users’ data from unauthorized access.
  2. Protect other daemons or programs from unauthorized access.
  3. Protect network ports / sockets / files from unauthorized access.
  4. Protect server against exploits.
  5. Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

  • Implementing firewalls policy.
  • Server monitoring.
  • Patching the system on time.
  • Writing and securing cgi/php/python/perl scripts.

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...