SELinux - Overview and Configuration

SELinux Features:
  • Restricts access by subjects (users and/or processes) to objects (files)
  • Provides Mandatory Access Controls (MACs)
  • MACs extend Discretionary Access Controls (DACs (Standard Linux Permissions))
  • Stores MAC permissions in extended attributes of file systems
  • SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
  • SELinux is integrated into the Linux kernel
  • Implements sandboxes for subjects and objects
  • Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
  • SELinux is implemented/enabled by RHEL5, by default
  • Operates in the following modes:

            a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
            b. Enforcing - strictly enforces 'targeted' policy rules
            c. Disabled - Only DACs are applied

  • Operating modes can be applied upon startup or while the system is running

SELinux Config files & Tools:

 1. sestatus - displays current SELinux status, including:
     a. policy name 'targeted'
     b. policy version '21'
     c. Operating mode: 'enforcing|permissive|disabled'

 2. /etc/sysconfig/selinux - primary startup|config file for SELinux
 3. /etc/selinux/targeted - top-level container for the 'targeted' policy
 4. setenforce = 0(permissive) 1(enforcing)
 5. '-Z' can be applied to the following commands to obtain SELinux context info:
      mv, cp, ls, ps, id
 6. chcon -R -t type <file> - applies SELinux label to file/directory

Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
     1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
     2. 'fixfiles' - use to relabel objects (files) while the system is running

Note: List of daemons protected by the 'targeted' SELinux policy:
             1. apache(httpd)
             2. dchpd
             3. ntpd
             4. named
             5. syslogd
             6. squid
             7. snmpd
             8. portmap
             9. nscd
            10. winbind

Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain

Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'

Note: SELinux MACs compound Linux DACs 

Share this

Related Posts

Next Post »

What do you think about this Article? Add your Opinion..! EmoticonEmoticon