Note:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

SELinux

From Funtoo
Revision as of 06:03, September 16, 2016 by Chry (talk | contribs) (Created page with "= Security-Enhanced Linux = __NOTITLE__ Security-Enhanced Linux (SELinux) is a set of patches to the Linux kernel and some user space utilities to incorporate a strong, flexib...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Security-Enhanced Linux

Security-Enhanced Linux (SELinux) is a set of patches to the Linux kernel and some user space utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel in contrast to standard UNIX discretionary access control (DAC).

Introduction

A Linux kernel integrating SELinux enforces policies that confine programs' and system servers' access to files and network resources. This confinement mechanism operates independently of the traditional Linux (discretionary) access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

With SELinux incorporated, files (including directories, devices) and network (TCP/UDP) ports, are referred to as objects. Processes, such as a user executed commands or web browsers (pretty much all user space applications), are referred to as subjects.

To help you get the better understanding of how this works, let's take a look at few examples...

The following is an example of permissions formed by standard discretionary access control (DAC) which is default in all Linux systems:

user $ ls -l funtoo.file
-rwxrw-r--. 1 funuser fungroup 0 Sep 16 07:14 funtoo.file

In this example, the first three permission bits, rwx, control the access "funuser" user (the owner) has to funtoo.file. The next three permission bits, rw-, control the access "fungroup" group has to funtoo.file. The last three permission bits, r--, control the access everyone else has to funtoo.file, which includes all users and processes.

Now let's take a look at the same file labeled with SELinux' mandatory access control (MAC):

user $ ls -lZ funtoo.file
-rw-r--r--. 1 funuser fungroup unconfined_u:object_r:user_home_t 0 Sep 16 07:14 funtoo.file

As you can see, we now have 3 additional labels:

  1. unconfined_u (a user)
  2. object_r (a role)
  3. user_home_t (a type)

These 3 labels together are called the SELinux context, and are viewed with ls -Z command. This context is used to make access control decisions.

With DAC, access is controlled based only on Linux user and group IDs.

   Important

Keep in mind that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.