Sharing Knowledge | System Admin Articles

SELinux - Overview and Configuration




SELinux Features:
  • Restricts access by subjects (users and/or processes) to objects (files)
  • Provides Mandatory Access Controls (MACs)
  • MACs extend Discretionary Access Controls (DACs (Standard Linux Permissions))
  • Stores MAC permissions in extended attributes of file systems
  • SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
  • SELinux is integrated into the Linux kernel
  • Implements sandboxes for subjects and objects
  • Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
  • SELinux is implemented/enabled by RHEL5, by default
  • Operates in the following modes:

            a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
            b. Enforcing - strictly enforces 'targeted' policy rules
            c. Disabled - Only DACs are applied

  • Operating modes can be applied upon startup or while the system is running


SELinux Config files & Tools:

 1. sestatus - displays current SELinux status, including:
     a. policy name 'targeted'
     b. policy version '21'
     c. Operating mode: 'enforcing|permissive|disabled'

 2. /etc/sysconfig/selinux - primary startup|config file for SELinux
 3. /etc/selinux/targeted - top-level container for the 'targeted' policy
 4. setenforce = 0(permissive) 1(enforcing)
 5. '-Z' can be applied to the following commands to obtain SELinux context info:
      mv, cp, ls, ps, id
 6. chcon -R -t type <file> - applies SELinux label to file/directory


Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
     1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
     2. 'fixfiles' - use to relabel objects (files) while the system is running

Note: List of daemons protected by the 'targeted' SELinux policy:
             1. apache(httpd)
             2. dchpd
             3. ntpd
             4. named
             5. syslogd
             6. squid
             7. snmpd
             8. portmap
             9. nscd
            10. winbind

Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain

Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'

Note: SELinux MACs compound Linux DACs 


Labels: Linux, SELinux

My Profile PhotoAbout the Author

I'm Parthiban, An UNIX System Admin by Profession. I'm Experienced in Linux/Unix System Administration and Scripting. I have done lot of work on the infrastructure Mgmt side in Linux, UNIX and Windows system administration, Hardware, Storage and Data center. I'm blogging since 2008.
Follow Me On Twitter or On Facebook

0 Comments for "SELinux - Overview and Configuration"

What do you think about this Article? Add your Opinion..!

Back To Top