Linux 101 : SELinux overview



SELinux (Security-Enhanced Linux) is a Linux kernel module that provides a MAC (Mandatory Access Control) system, where only the administrator sets access to resources. That access can't be overridden by users who own these resources.

DAC (discretionary access control) on the other hand, gives users the ability to decide who can access their files and directories.  

With DAC users can launch any program from their own directories.

Objects and subjects:

SELinux takes decisions based on the context (labels) of the "subject" and the "object".

SElinux labels (contexts):

With SELinux, we have a Mandatory access Control (MACthat checks for allowed operations after the traditional (Discretionary Access Control (DAC ) does its checking.

For example, with (MAC) we could prevent users from running scripts in their home directories

SELinux uses labels or security contexts to control access to files or processes.

We can display the security context (labels) for files and directories using the below command:

We get the below results:

We can also display the contexts for processes using the below command:

We get the below results:

The output from the above commands contains the below data:


SELinux user:  SELinux has a number of preset users, each Linux user can be mapped to one SELinux user. 
In our example above we have (system_u) and for the processes we have (unconfined_u).

SELinux role: Each SELinux user can be mapped to one or more roles. Roles define the allowed types for files and the allowed domain for processes. In our example above object_r is the file's role and unconfined_r is the role for processes.

Type: for files, it shows the file's purpose for example, bin_t (file  in bin directory) or boot_t (file in boot directory). 

For processes, it's called a domain and it controls what a process is allowed to do.

Sensitivity/Category: are optional fields used with MLS (Multi-level security).

All these component help strengthen security and also establish a class-based and a role-based access control (RBAC).

Context of a running process:

We could also display the current context of a running process by displaying the contents of its "/proc/$PID/attr/current" file.

The "type" property:

A "type" is the context that advertises the file's purpose. From the type we would know if the file is a web page or if it belongs to a certain directory (boot directory, has a type "boot_t" for example)

When we need the system processes to only access allowed resources ( files, directories,...), we assign a type (domain) to the processes, then we can create policies that dictate which type of processes could have access to which type of objects.

Changing the SELinux "type" :

We can use the command to change the type of a file:

SELinux modes:

  • Enforcing: SELinux will enforce all the policies.
  • Permissive: SELinx policies are not enforced, but SELinux will still log messages that could be used later for solving issues.
  • Disabled: SELinux is disabled on the machine.
Checking if SELinux is running, we use the below command:

Displays: enforcing, which means that the SELinux policies are enforced.

To be able to have more details about SELinux, we use the command:


We get info like SELinux configuration file directory /etc/selinux,...

SELinux configuration file:


We can change the SELinux mode in the configuration file.

We can also change the SELinux mode using the below command:


We reboot, then we check using the below command:


SELinux policies(Booleans):

SElinux policies define the rules for a SELinux user access to roles and rules for the role's access to type/domain.
SElinux user can have one or more roles. 
Roles dictates the domains/types that can be used.
To display the SELinux modules (Booleans) we use the below command:


Modules have Boolean value, to list the Boolean values, we use the below:

We get the below results:


State of a particular module (Boolean) value:

Example:

We can see from the results that "antivirus_can_scan_system" is not activated.
To change the settings and activate it we use:


To make the changes persist we add -p option to the command:

Supported users, roles, types/domains in a system:

To view the supported SELinux users, roles and types respectively, we can use the below commands :


Comments

Leave as a comment:

Archive