Saturday, 28 September 2013

SELinux: Tiny Tip

SELinux Modes:

Enforcing - SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly.

Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached.

Normal models(When SELinux Disabled):

In the regular permissions models, processes run as users, and the files and other resources on the system are labeled with permissions that control which users have what access to which files.


SELinux adds a parallel set of permissions, in which each process runs with a SElinux security context, and files and other resources on the system are also labeled with a security context. The difference from normal permissions is that a configurable SELinux policy controls which process contexts can access which file contexts. Red Hat provides a default policy which most people use.

 Another difference with SELinux, is that to have access to a file, you have to have both regular access and SELinux access. So, even if your process is running as the superuser, root, it may be denied access to a file or resource based on the SELinux security context of the process and of the file or resource!

This allows us to limit the scope of security compromises on the system, even to the root account, by ensuring that processes are confined by the SELinux policy and their security context into only being able to do things that they should normally authorized to do.

Here is an example of a normal system that does not have SELinux turned on, which is running Apache HTTPD server :

The web server is available to remote access over the internet. That means that malicious people can try to break into the system through a security bug in the web server. If they succeed, they will have control of a process running as user apache and group apache. Anything readable by that user can now be accessed by that attacker. This includes files and directories that the web server normally has no business working with. A further local-only security bug in one of those may enable the attacker to gain superuser access.

Here, How can SELinux change this?

This is the same system, with SELinux turned on. By default, the SELinux policy denies all the access, unless rules are included in the policy which permits certain processes contexts to access certain file and resource contexts. (The reference policy provided by REDHAT has a carefully tuned set of rules for production systems provided for you.)

cheers !