Admin Insight28 | DECEMBER 2017 | OPEN SOURCE FOR YOU | http://www.OpenSourceForU.comS
ecurity-Enhanced Linux or
SELinux is an advanced access
control built into most modern
Linux distributions. It was initially
developed by the US National Security
Agency to protect computer systems
from malicious tampering. Over time,
SELinux was placed in the public
domain and various distributions have
incorporated it in their code. To many
systems administrators, SELinux is
uncharted territory. It can seem quite
daunting and at times, even confusing.
However, when properly configured,
SELinux can greatly reduce a system’s
security risks and knowing a bit about
it can help you to troubleshoot access
related error messages.Basic SELinux security
concepts
Security-Enhanced Linux is an
additional layer of system security. The
primary goal of SELinux is to protect
the users’ data from system services that
have been compromised. Most Linux
administrators are familiar with the
standard user/group/other permissionsDiscover SELinux, a security module that provides
extra protocols to ensure access control security. It
supports mandatory access controls (MAC) and is an
integral part of RHEL’s security policy.Reduce Security Risks
with SELinux
security model. This is a user and group
based model known as discretionary
access control. SELinux provides
an additional layer of security that is
object based and controlled by more
sophisticated rules, known as mandatory
access control. To allow remote
anonymous access to a Web server,
firewall ports must be opened. However,
this gives malicious users an opportunity
to crack the system through a security
exploit, if they compromise the Web
server process and gain its permissions
— the permissions of Apache user and
Apache group, which user/group has
read write access to things like document
root (/var/www/html), as well as the
write access to /var, /tmp and any other
directories that are world writable.
Under discretionary access control,
every process can access any object.
But when SELinux enables mandatory
access control, then a particular
context is given to an object. Every
file, process, directory and port has a
special security label, called a SELinux
context. A context is a name that is used
by the SELinux policy to determinewhether a process can access a file,
directory or port. By default, the policy
does not allow any interaction unless an
explicit rule grants access. If there is no
rule, no access is allowed.
SELinux labels have several
contexts—user, role, type and
sensitivity. The targeted policy, which
is the default policy in Red Hat
Enterprise Linux, bases its rules on the
third context—the type context. The
type context normally ends with _t.
The type context for the Web server is
httpd_t. The type context for files and
directories normally found in
/var/www/html is httpd_sys_content_t,
and for files and directories normally
found in /tmp and /var/tmp is tmp_t.
The type context for Web server ports is
httpd_port_t.
There is a policy rule that permits
Apache to access files and directories
with a context normally found
in /var/www/html and other Web server
directories. There is no ‘allow’ rule
for files found in /var/tmp directory,
so access is not permitted. With
SELinux, a malicious user cannot
access the /tmp directory. SELinux
has a rule for remote file systems such
as NFS and CIFS, although all files
on such file systems are labelled with
the same context.SELinux modes
For troubleshooting purposes, SELinux
protection can be temporarily disabled
using SELinux modes.
SELinux works in three modes--
enforcing mode, permissive mode and
disabled mode.
Enforcing mode: In the enforcing
mode, SELinux actively denies access
to Web servers attempting to read
files with the tmp_t type context. In
this mode, SELinux both logs the
interactions and protects files.
Permissive mode: This mode is
often used to troubleshoot issues. In
permissive mode, SELinux allows all
interactions, even if there is no explicit
rule, and it logs the interactions that
it would have denied in the enforcing
mode. This mode can be used to