- Restricts access by subjects (users and/or processes) to objects (files)
- Provides Mandatory Access Controls (MACs)
- MACs extend Discretionary Access Controls (DACs (Standard Linux Permissions))
- Stores MAC permissions in extended attributes of file systems
- SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
- SELinux is integrated into the Linux kernel
- Implements sandboxes for subjects and objects
- Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
- SELinux is implemented/enabled by RHEL5, by default
- Operates in the following modes:
a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
b. Enforcing - strictly enforces 'targeted' policy rules
c. Disabled - Only DACs are applied
- Operating modes can be applied upon startup or while the system is running
SELinux Config files & Tools:
1. sestatus - displays current SELinux status, including:
a. policy name 'targeted'
b. policy version '21'
c. Operating mode: 'enforcing|permissive|disabled'
2. /etc/sysconfig/selinux - primary startup|config file for SELinux
3. /etc/selinux/targeted - top-level container for the 'targeted' policy
4. setenforce = 0(permissive) 1(enforcing)
5. '-Z' can be applied to the following commands to obtain SELinux context info:
mv, cp, ls, ps, id
6. chcon -R -t type <file> - applies SELinux label to file/directory
Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running
Note: List of daemons protected by the 'targeted' SELinux policy:
Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain
Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'
Note: SELinux MACs compound Linux DACs