SELinux as the Locker for our Linux
You guys may be confused….😕
What kind of security I am talking about? So lets finish this confusion😉
Its about the Access control for files, processes, ports etc. 💡
Earlier , for this type of security, we work on the concept of Discretionary access control. Now what’s this Discretionary access control, how we use this?
For all these questions, refer to the below link:
The usual permission we use in the linux is called as DAC DAC - Discretionary access control. what is Discretionary…
Now, the question is why we need any extension to the security, when we already have DAC concept?
The Answer is, some limitations of DAC!!🤞 What’s that ?
- * Lets assume a scenario that if the user downloaded the malicious file unknowing for the internet then the file will have permissions as like the other file in the user workspace. As the malicious user may have the permission to access a file unlike the other file it can execute and may access the other file data sometimes take the system down. Basically, the permissions and the access control is depends on the file itself!! But it can be dangerous too😨
What to do in this case??……🤔💭
I just remember the concept of SELinux which is Security-Enhanced Linux!!
What is SELinux??
SELinux is the security Architecture that allows administrators to have more control on, who can access the system.
🤩 National Security Agency (NSA) added a security patch to Linux Kernel using Linux Security Modules(LSM).
I think instead of just knowing it theoretically, it would be more interesting to know that how does it work and on which concept!! isn’t it ? 🤔
Lets directly jump to how it works??
SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.
Let’s understand the scenario first:
When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects. Like which object is accessible by which subject as per the permissions.
If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.
If permission is denied, an “avc: denied” message will be available in /var/log.messages
Its Amazing, how securely it is allowing a subject to access an object.🤩
Is it enough to just know about how it works or we should also go for its configuration part? I think we should 😄
To configure SELinux
Basically there are 2 ways:
- Targeted Policy(mostly used, default option)
- Multi Level Security(generally used by govt. organizations)
Targeted policy is the default option and covers a range of processes, tasks, and services.
To see how the type is targeted🧠, go to the file “/etc/sysconfig/selinux”
Here we are not using MLS, we are using targeted policy⭐
This file also giving us some information regarding the selinux mode, through SELINUX key.
The values of SELINUX key can be enforcing, permissive, disabled, each mode have different meaning. Here enforcing means this SELinux feature is enabled and is helping us to secure our Linux system.
So, what each mode is meant for?🤔
👉 Enforcing: Means that the SELinux policy is in effect and the policies will be followed according to it very strictly.
👉 Permissive: Means handy mode when trying to debug or allow some features to run on some instances which are not allowed in enforcing mode. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements.
It will give an alert message/notification📍
👉 Disabled: When the SELinux policies won’t apply anywhere in the system.
Now we go the next stage of SELinux, that how it actually works, and on which concept!!
So, there are two main concepts on which SELinux works are:
* Type enforcement
SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot.
Labels are in the format user:role:type:level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS.
💡 Label type is the most important for targeted policy.
SELinux uses type enforcement to enforce a policy that is defined on the system. Type enforcement is the part of an SELinux policy that defines “whether a process running(subject) with a certain type can access a file(object) labeled with a certain type.”
You might be very curious🧐 to know that
how these labels are attached with the files or the processes ?
For this, lets take an example and understand with the same:
Suppose root is one user(subject) and /dev/sr0 is the directory(object) that contain all the files and software available for linux.
Lets check the label with our dir /dev/sr0
Here the Label is “RHEL-8–0–0-BaseOS-x86_64”
Now lets move to our user i.e., root
This is how the labels used in general.
But if we talk about SELinux, the label format is different i.e., “SELinux_user:user_role:type”
To access the roles assigned with each file, we use Command: “ls -Z”
The highlighted label is for the system user and for the anaconda-ks.cfg file access control
👉This label is helping the targeted policy for the access control management of the files and devices or processes.
How to Control this SELINUX mode like permissive, enforcing or disabled?? 🤔
There are some points that need to be considered, before enforcing SELinux, that are:
- If SELinux has been disabled in your environment, you can enable SElinux by editing /etc/selinux/config and setting SELINUX=permissive.
2. Since SELINUX was not enabled currently, so instead of enforcing it directly we should put it in permissive mode because everything may be mislabelled.
3. We can also force the system to automatically relabel the filesystem by creating “.autorelabel” file in root directory and then reboot the system. We can also deep dive into auto relabel further.
For now lets focus on selinux 💯
So after successful fixing/relabelling of the filesystem.
Set SELINUX to enforcing with “/etc/selinux/config” and then reboot or simply run the command “setenforce 1”
And you are done with the SELINUX security setup. ✨
Note: If in case anyone(sysadmin) is not familiar with command like then they can use the graphical tool also to manage SELinux. The Graphical tool can be used by installing the package “policycoreutils-gui”
Don’t worry there is a complete process of using this GUI tool, I will definitely share one article for the GUI Installation and Implementation soon.😎
Till the time, go ahead with Command line 😁
Stay tuned for further amazing concepts!!
Keep Sharing, Keep Learning ✨
Thank You 🤗