From SELinux Wiki
Jump to: navigation, search

What is SELinux really?

SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication.

With SELinux an administrator can differentiate a user from the applications a user runs. For example, the user shell or GUI may have access to do anything he wants with his home directory but if he runs a mail client the client may not be able to access different parts of the home directory, such as his ssh keys.

The way that an administrator sets these permissions is with the centralized SELinux policy. The policy tells the system how different components on the system can interact and use resources. The policy typically comes from your distribution but it can be updated on the end system to reflect different configurations or application behavior.

How does SELinux work?

Though it uses multiple security models to do its job, the type enforcement model is most important to SELinux. A type is a way of classifying an application or resource. Type enforcement is the enforcement of access control on that type. All files, processes, network resources, etc on an SELinux system has a label, and one of the components of that label is the "type". For example the files in your home directory are probably labeled user_home_t. user_home_t is the type and in this case it means that the policy should treat all those files as your home directory files.

Running applications also have labels. For example, your web browser may be running as firefox_t. Type enforcement simply allows you to specify what application label can access what resource label. In the most simple terms SELinux lets you allow an application to do something with a resource:

allow firefox_t user_home_t : file { read write };

This simply allows your web browser, running as firefox_t to read and write files in your home directory, labeled as user_home_t.

Do I have to write policies to use SELinux?

In general, no. Distributions such as Fedora and Red Hat Enterprise Linux come with many policies which allow applications to do everything necessary in their default configurations. If you are a power user who customizes how applications and services work on your system then you may need to update the policy to reflect that. More times than not a simple file relabel can enable your custom configuration to work with SELinux.

Where do I get these policies?

When SELinux comes with a distribution it will have policies included to lock down various applications. The number of applications locked down and how strict the policies are depends on how your distribution has configured the policy. All policies included in distributions today, however, are based off of the Reference Policy and therefore a user can add additional policies from the Reference Policy or can reconfigure the strictness of the policies. The reference policy is available at its project page.

Who writes these policies?

The policies in the Reference Policy are written by distributions based on user feedback of application behaviors and security professionals. Tresys Technology actively maintains the Reference Policy upstream by reviewing and integrating the changes sent to the project mail list.

Is SELinux a firewall?

Though often confused with one, SELinux is not a firewall. A firewall controls the flow of traffic to and from a computer to the network. SELinux can confine access of programs within a computer and hence can be conceptually thought of a internal firewall between programs. Security works best when multiple layers are used and SELinux is complimentary to a firewall and other security features.

Is it useful for a desktop?

Absolutely. Though most distributions targeted services such as Apache when they initially integrated SELinux there are many desktop services confined and confining desktop applications is a great way to keep malicious content online from compromising your important data.

Is SELinux enabled on my system?

To find out if SELinux is enabled on your system you can run sestatus. If the SELinux status says enforcing you are being protected by SELinux. If it says permissive SELinux is enabled but is not protecting you, and disabled means it is completely disabled.

Why should I use SELinux?

In short because SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do.

How do I disable SELinux?

Though we feel that most users should leave SELinux enabled, especially because it can help mitigate zero-day attacks, we understand that there are some circumstances where it may need to be disabled.

If you feel like SELinux is stopping an application from working it is best to put it in permissive mode and test the application. If the application runs correctly in permissive mode but not enforcing you may need to add some rules to the policy, or relabel some files. Check the users and administrators section for details on doing this.

To put an SELinux system into permissive mode temporarily you can run setenforce as root:

# setenforce 0

If you are having issues booting up and would like to boot your system with SELinux in permissive mode you can edit the /etc/selinux/config file and change the SELINUX variable to permissive (this will not set the current running mode of SELinux).

To disable SELinux altogether you can change the SELINUX variable in /etc/selinux/config to DISABLED and reboot.