Security Enhanced Linux, or SELinux, is an exciting security
project that is reaching maturity and poised to revolutionize the way
Linux security administration is performed. Originally developed by the
National Security Agency and released as an open source project, but now
breaking into the mainstream in Red Hat, Fedora, Gentoo, and the new
release of EnGarde Secure Linux 3.0, it incorporates Mandatory Access
Control into a base Linux system. This is a revolutionary advance, but
is also very different from the standard Linux security model.
Standard Linux file permissions use the Discretionary Access
Control (DAC) model. Under DAC, files are owned by a user and that user
has full control over them, including the ability to grant access
permissions to other users. The root account has full control over every
file on the entire system. An attacker who penetrates an account can do
anything with the files owned by that user. For example, an attacker who
compromises a web server has full control over all files owned by the
webserver account. Worse, if an application runs under the context of
the root user, an attacker penetrating it now has full control over the
entire system.
SELinux supplements Discretionary Access Control with Mandatory
Access Control (MAC). Under MAC, the adminstrator writes a security
policy that defines access rights for all users and applications. MAC
in effect provides each application with a virtual sandbox that only
allows the application to perform the tasks it is designed for and
explicitly allowed in the security policy to perform. For example, the
webserver process may only be able to read web published files and serve
them on a specified network port. An attacker penetrating it will not be
able to perform any activities not expressly permitted to the process
by the security policy, even if the process is running as the root user.
Files are assigned a security context that determines what specific
processes can do with them, and the allowable actions are much more finely
grained than the standard Unix read/write/execute controls. For example,
a web served file would have a context allowing the apache process to
read it but not execute or make changes to it, while the log files would
be appendable but not readable or otherwise changeable by apache. Network
ports are also assigned a context, which can prevent penetrated
applications from using ports not permitted to them by security policy.
Standard Unix permissions are still present on the system, and will be
consulted before the SELinux policy when access attempts are made. If the
standard permissions would deny access, access is simply denied and
SELinux is not consulted at all. If the standard file permissions would
allow access, the SELinux policy is consulted and access is either
allowed or denied based on the security contexts of the source process
and the targeted object.
All major Linux distributions have at least some involvement with
SELinux development, and properly maintaining these systems require at
least some understanding of the internals of SELinux.
The internal characteristics of SELinux are rapidly being developed,
and as such, documentation frequently needs to be updated to reflect
these changes. Below are a few online references maintained and written
by LinuxSecurity.com staff and are updated frequently:
Security-Enhanced Linux Administration - A discussion of how a SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.
Security-Enhanced Linux Policy Development - Customizing your system's SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly.
Security-Enhanced Linux QuickStart Guide - This guide is meant for the experienced systems administrator who needs to learn more about administering servers running Security Enhanced Linux. A brief overview of SELinux history and concepts will be followed by details of day to day administration of an SELinux server and how this differs from the vanilla Linux security model.
