What is SELinux and why should you enable or disable it on a Linux operating system?
Let's first talk about 'What is SELinux' before jumping to the conclusion of enabling or disabling SELinux on a Linux operating system as a Linux server manager or on your personal Linux cloud server. Do you need help with SELinux, server security, or other cloud infrastructure issues? Talk to Web and Cloud today and let's discuss your needs to be challenged. Login or create a free account at Webandcloud.com to get started.
SELinux - Security Enhanced Linux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style MAC - Mandatory Access Control, through the use of LSM - Linux Security Modules in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, like Linux and BSD.
Running SELinux under a Linux distribution requires an SELinux-enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy.) Some Linux programs will also need to be patched/compiled with SELinux features.
MAC - Mandatory Access Controls
SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of an operating system to define how applications and users can access different resources such as files, devices, networks, and inter-process communication.
With SELinux, an administrator can differentiate a user from the applications a user runs. For example, the user shell or GUI may have access to do anything he wants with his home directory but if he runs a mail client the client may not be able to access different parts of the home directory, such as his ssh keys.
The way that an administrator sets these permissions is with the centralized SELinux policy. The policy tells the system how different components of the system can interact and use resources. The policy typically comes from your distribution but it can be updated on the end system to reflect different configurations or application behavior.
How does SELinux work?
Though it uses multiple security models to do its job, the type enforcement model is most important to SELinux. A type is a way of classifying an application or resource. Type enforcement is the enforcement of access control on that type. All files, processes, network resources, etc on an SELinux system have a label, and one of the components of that label is the "type". For example, the files in your home directory are probably labeled user_home_t. user_home_t is the type and in this case, it means that the policy should treat all those files as your home directory files.
Running applications also have labels. For example, your web browser may be running as firefox_t. Type enforcement simply allows you to specify what application label can access what resource label. In the most simple terms, SELinux lets you allow an application to do something with a resource:
allow firefox_t user_home_t : file { read write };
This simply allows your web browser, running as firefox_t to read and write files in your home directory, labeled as user_home_t.
Do I have to write policies to use SELinux?
No. In general, distributions such as Fedora and Red Hat Enterprise Linux come with many policies which allow applications to do everything necessary in their default configurations. If you are a system administrator who loves customizing how applications and services work on your system then you may need to update the policies. More times than not a simple file relabel can enable your custom configuration to work with SELinux.
Where do I get these SELinux policies?
When SELinux comes with a distribution it will have policies included to lock down various applications. The number of applications locked down and how strict the policies are depends on how your distribution has configured the policy. All policies included in distributions today, however, are based on the Reference Policy and therefore a user can add additional policies from the Reference Policy or can reconfigure the strictness of the policies. You can get SELinux policies on the SELinux GitHub project page.
Who writes these policies?
The policies in the Reference Policy are written by distributions based on user feedback on application behaviors and security professionals. Tresys Technology actively maintains the Reference Policy upstream by reviewing and integrating the changes sent to the project mail list. Go to Selinuxproject.org for more information.
Is SELinux a firewall?
No, SELinux is not a firewall. A firewall controls the flow of traffic to and from a computer to the network. SELinux can confine access, to programs within a computer and hence can be conceptually thought of as an internal firewall between programs. Security works best when multiple layers are used and SELinux is complimentary to a firewall and other security features.
Is it useful for a desktop?
Yes. Though most distributions targeted services such as Apache when they initially integrated SELinux there are many desktop services confined and confining desktop applications is a great way to keep malicious content online from compromising your important data.
How to check the state of SELinux on a server?
SELinux may already be enabled or set to permissive mode on your server, make sure to check before you start with server configuration.
To check the state of SELinux on your server, log in to the server as a root user and open the following file
/etc/selinux/config with your preferred text editor.
The state should look like this:
Enforcing = the server is protected by SELinux
Permissive = SELinux is enabled but not protecting the server
Disabled = SELinux is disabled on the server
Make your desired changes and reboot the server.
Why should I use SELinux?
SELinux can help protect you from bugs in applications and much more. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However, applications, especially the desktop applications we all use, come in with millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux, you can treat the applications you run differently from yourself thereby limiting what an exploited application can do.
Should you disable or enable SELinux on a Linux server?
Though most servers should leave SELinux enabled, because it can help mitigate zero-day attacks, there are some circumstances where SELinux should be disabled.
SELinux can stop some applications from working properly, and some OSs and server control panels may not support SELinux. cPanel for example did not support SELinux.
We suggest that you set SELinux to permissive mode and test the server and its applications to see if everything will run smoothly. If everything runs perfectly in permissive mode but not enforcing, you may need to add some rules to the policy or relabel some files.
To set SELinux into permissive mode temporarily, you can run setenforce as a root user:
# setenforce 0
If you are having issues booting up and would like to boot your system with SELinux in permissive mode you can edit the /etc/selinux/config file and change the SELINUX variable to permissive (this will not set the current running mode of SELinux).
To disable SELinux, simply change the SELinux variable in /etc/selinux/config to DISABLED and reboot the server.
|
Do you need help with SELinux, server security, other cloud infrastructures, or server-related issues? Talk to Web and Cloud today and let's discuss your needs to be challenged. Login or create a free account at Webandcloud.com to get started. |
Go to Selinuxproject.org to learn more about SELinux
