As cybersecurity becomes increasingly necessary, it is useful to familiarize yourself with some common security infrastructures that are used on modern web servers and personal computers. For Linux users, one such infrastructure is SELinux, the Linux kernel security module that dictates access control security policies, including mandatory access controls (MAC). SELinux consists of a set of kernel modifications and user tools, and is included with most Linux-based machines in use today. In this article, we will discuss the importance of SELinux and explore some associated features.
Topics Include:
Familiarize yourself with SELinux to ensure that your Dedicated Hosting server is secure!
SELinux Background
SELinux, short for Security-Enhanced Linux, consists of a series of security patches to the Linux kernel that mandate access controls for various services and applications. Based on projects originally developed by the National Security Agency, SELinux has quickly become a staple in the realm of open-source cybersecurity. SELinux enhances Linux system security by limiting privileges and reducing the overall harm a given application can cause to the entire system. Before discussing how SELinux works, it is important to explore the concept of correctness.
Correctness is a term used in computer science to describe how closely a given program performs in comparison to the expected results based on the system specifications. For example, an application designed to open up an image file can be said to have a high level of correctness if it successfully opens up the image file as expected. This concept can be broadly applied to any program, application, or function utilized in a computer system.
In a system without SELinux, the security of the system depends on the correctness of the kernel as well as the correctness of any privileged applications and their respective configurations. If any faults exist within these areas, the entire system can be compromised. For this reason, having a Linux kernel without any sort of security module is not recommended, particularly for devices connected to the internet.
By comparison, systems with SELinux depend on both the correctness of the kernel and that of the security-policy configuration. This ensures that while errors in correctness or configuration may result in a compromised application, the entire system will not be affected and other applications can continue to function normally. In essence, SELinux provides a compartmentalized security policy that prevents the spread of compromised applications and other security vulnerabilities.
How SELinux Works
In order for SELinux to work, the system must first assign labels, also known as context to various functions. For users and processes, a text string is assigned, consisting of a username, a role, and a domain. Generally, the domain name is the only portion that gets used to determine access controls. Files, network ports, and hardware also have a context within SELinux and are assigned a name, a role, and a type.
The process of mapping files to a security context is referred to as labeling and is defined by the policy file being used. A policy file consists of three files: a mapping file, a rule file and an interface file. These three files must be compiled into a single policy file with the SELinux toolset, then loaded into the system kernel to make it an active policy. The creation of policy files can be done manually or with the SELinux management tool. Once the policy file has been loaded into the system kernel, you can rest assured that your system has been secured.
By default, SELinux comes pre-configured on most modern Linux operating systems such as Ubuntu, Debian, or CentOS. This means that most of the time, users aren’t even aware that SELinux is working behind-the-scenes to keep their system protected. In summary, the reliable and unobtrusive nature of SELinux makes it an essential part of any modern Linux system.
SELinux Commands
To interact with SELinux on your machine, you can use a command-line interface to issue simple commands that allow you to check and modify the status of the SELinux security module. We will provide a few examples of commonly used SELinux commands below.
To find the current status of SELinux, run the following command:
getenforce
For a more detailed status report, use the following command:
sestatus
To change the enforcement policy for SELinux, you can use the setenforce command. To set SELinux to enforce security policies, use the following command:
setenforce enforcing
If you need to make changes to your system that require a more permissive security policy, you can use the following command:
setenforce permissive
As you can see from these examples, SELinux can be easily managed from the command-line, allowing users to quickly obtain and modify the status of security policy enforcement. By familiarizing yourself with SELinux and related commands, you can better manage the security of your Linux-based server or personal computer.
