gyptazy

DevOps

Developer

IT Consultant

gyptazy

DevOps

Developer

IT Consultant

Blog Post

SELinux & Policies – A short Overview

SELinux & Policies – A short Overview

Security-Enhanced Linux (SELinux) is a security module in Linux kernel that provides mandatory access control (MAC) framework for controlling and managing access to various resources within a Linux system. SELinux was developed by the National Security Agency (NSA) and released as open-source software in 2000. Since then, SELinux has become an integral part of many Linux distributions, including Fedora, Red Hat Enterprise Linux, CentOS, Debian and Garden Linux.

The purpose of SELinux is to provide fine-grained access control to system resources such as files, directories, devices, network ports, and system calls. SELinux goes beyond the traditional Unix file permission model and enables administrators to define policies that determine which processes can access which resources. This allows for a more granular level of control over the system and makes it more difficult for attackers to exploit vulnerabilities.

SELinux uses a set of rules called policies to define the access control framework. These policies are stored in the file system and are loaded into the kernel at boot time. The policies define a set of rules that are used to determine the level of access that processes and users have to various resources within the system.

The policies in SELinux are based on the concept of labels. Each resource in the system is labeled with a security context, which consists of a set of attributes that describe the resource. For example, a file might have a label that includes the file name, the file type, the file owner, and the security level. A process might have a label that includes the process name, the process owner, and the security level.

When a process requests access to a resource, SELinux checks the security context of the process and the resource to determine whether the request should be allowed or denied. If the request is allowed, the process is granted access to the resource. If the request is denied, the process is blocked from accessing the resource.

SELinux has three modes of operation: enforcing, permissive, and disabled. In enforcing mode, SELinux enforces the policies and blocks access to resources that do not match the policies. In permissive mode, SELinux does not block access to resources but logs all violations to the system log. This allows administrators to test policies without blocking access to resources. In disabled mode, SELinux is turned off and does not enforce any policies.

SELinux also includes a set of tools for managing policies and troubleshooting problems. These tools include the SELinux Management Tool (semanage), the Policy Generation Tool (genhomedircon), and the Audit Log Tool (auditd).

While SELinux provides a powerful mechanism for controlling access to system resources, it can be complex and difficult to configure. It requires a deep understanding of the Linux security model and the policies used by SELinux. For this reason, many administrators choose to use more user-friendly security modules such as AppArmor or grsecurity.

To understand how SELinux works in detail, it is important to first understand the basic concepts that it uses:

  • Policies: Policies are a set of rules that define what actions are allowed or denied on a system. SELinux policies define what actions can be taken on objects within the system, such as files, directories, network ports, and system calls.
  • Labels: Labels are a set of attributes that are assigned to objects within the system. Each object has a label that defines what it is, what it can do, and how it can be accessed.
  • Contexts: Contexts are a combination of labels that are assigned to both objects and subjects (users, processes, and services) within the system. A context is used to define the relationship between an object and a subject.

Now, let’s take a deeper dive into how SELinux works:

  • When a user or process attempts to access an object within the system, SELinux first checks the context of the subject and the context of the object to see if they are compatible. If they are not compatible, access is denied.
  • SELinux then checks the policy to see if the requested action is allowed. If the action is not allowed, access is denied.
  • If the requested action is allowed by the policy, SELinux enforces the policy by creating an access vector cache (AVC). The AVC stores information about the subject, the object, and the requested action. This information is used to enforce the policy on subsequent requests.
  • If a violation of the policy occurs, SELinux logs an error message to the system log. In enforcing mode, the requested action is denied. In permissive mode, the action is allowed but logged to the system log.
  • SELinux includes a set of tools for managing policies and troubleshooting problems. These tools include the SELinux Management Tool (semanage), the Policy Generation Tool (genhomedircon), and the Audit Log Tool (auditd).

To understand how SELinux works in detail, it is important to first understand the basic concepts that it uses:

  1. Policies: Policies are a set of rules that define what actions are allowed or denied on a system. SELinux policies define what actions can be taken on objects within the system, such as files, directories, network ports, and system calls.
  2. Labels: Labels are a set of attributes that are assigned to objects within the system. Each object has a label that defines what it is, what it can do, and how it can be accessed.
  3. Contexts: Contexts are a combination of labels that are assigned to both objects and subjects (users, processes, and services) within the system. A context is used to define the relationship between an object and a subject.

Now, let’s take a deeper dive into how SELinux works:

  1. When a user or process attempts to access an object within the system, SELinux first checks the context of the subject and the context of the object to see if they are compatible. If they are not compatible, access is denied.
  2. SELinux then checks the policy to see if the requested action is allowed. If the action is not allowed, access is denied.
  3. If the requested action is allowed by the policy, SELinux enforces the policy by creating an access vector cache (AVC). The AVC stores information about the subject, the object, and the requested action. This information is used to enforce the policy on subsequent requests.
  4. If a violation of the policy occurs, SELinux logs an error message to the system log. In enforcing mode, the requested action is denied. In permissive mode, the action is allowed but logged to the system log.
  5. SELinux includes a set of tools for managing policies and troubleshooting problems. These tools include the SELinux Management Tool (semanage), the Policy Generation Tool (genhomedircon), and the Audit Log Tool (auditd).

SELinux uses a set of rules called policies to define the access control framework. These policies are stored in the file system and are loaded into the kernel at boot time. The policies define a set of rules that are used to determine the level of access that processes and users have to various resources within the system. SELinux policies are based on a hierarchical model that defines levels of access based on the security level of the object and the subject. This hierarchical model includes the following levels:

  • Unconfined: Processes and users that are not subject to any SELinux policies.
  • User: Processes and users that are subject to SELinux policies that are specific to the user.
  • Role: Processes and users that are subject to SELinux policies that are specific to the role that they perform.
  • Type: Processes and users that are subject to SELinux policies that are specific to the type of object that they are accessing.
  • Level: Processes and users that are subject to SELinux policies that are specific to the security level of the object that they are accessing.

By using this hierarchical model, SELinux provides fine-grained access control to system resources. This makes it more difficult for attackers to exploit vulnerabilities within the system.

SELinux policies are based on a mandatory access control (MAC) model, which means that access to system resources is controlled by the operating system rather than by the user or the application. This is in contrast to discretionary access control (DAC), which allows the user or the application to control access to resources.

The policies are based on a set of rules that define the relationship between subjects (users, processes, and services) and objects (files, directories, network ports, and system calls) within the system. These rules define what actions are allowed or denied based on the context of the subject and the object.

SELinux policies use a set of labels to define the context of subjects and objects. These labels are used to define the type, role, and level of the subject and object. The type label defines the object’s characteristics, such as whether it is a file, a directory, or a socket. The role label defines the subject’s role, such as whether it is an administrator or a user. The level label defines the security level of the subject or object, such as whether it is classified or unclassified.

SELinux policies are built using a set of tools that are provided by the Linux distribution. These tools include the Policy Generation Tool (genhomedircon), the SELinux Management Tool (semanage), and the Audit Log Tool (auditd).

The Policy Generation Tool is used to create custom policies for specific applications. This tool uses a configuration file that defines the access control rules for the application. The tool compiles the configuration file into a policy module that can be loaded into the system.

The SELinux Management Tool is used to manage the SELinux policies on the system. This tool is used to create, modify, and delete policies and policy modules. It is also used to manage the contexts and labels that are used by the policies.

The Audit Log Tool is used to log information about the system’s activities. This tool is used to log information about SELinux policy violations and other security-related events. The log files can be used for troubleshooting and for auditing purposes.

And where could these policies be used? Some examples:

  • Network policies: SELinux policies can be used to define which network ports are allowed to be accessed by specific applications or services. For example, a policy can be defined to allow the Apache web server to access the HTTP and HTTPS ports but deny access to other ports.
  • File system policies: SELinux policies can be used to define which files and directories are accessible by specific applications or services. For example, a policy can be defined to allow a database application to read and write to its own data directory but deny access to other directories on the system.
  • Process policies: SELinux policies can be used to define the actions that specific processes are allowed to perform. For example, a policy can be defined to allow a web server process to start and stop other processes but deny access to system configuration files.
  • User policies: SELinux policies can be used to define the actions that specific users are allowed to perform. For example, a policy can be defined to allow a user to run a specific application but deny access to other system resources.
  • Role-based policies: SELinux policies can be used to define the roles that specific users or processes can perform. For example, a policy can be defined to allow a user with the “administrator” role to perform system administration tasks but deny access to other users.
  • Label-based policies: SELinux policies can be used to define the labels that are associated with specific files and directories. These labels can be used to enforce access control rules based on the context of the file or directory. For example, a policy can be defined to deny access to files with the label “confidential” to users without the appropriate clearance level.

Overall, SELinux policies provide a powerful toolset for enforcing access control rules and enhancing the security of a Linux system. By using policies to define the relationships between subjects and objects within the system, SELinux helps to prevent unauthorized access and reduce the risk of security breaches. In conclusion, SELinux is a powerful security module for Linux that provides fine-grained access control to system resources. It is based on the concept of labels and uses policies to enforce access control rules. While it can be complex and difficult to configure, it provides a high level of security and is widely used in many Linux distributions.

My SELinux implementation in Garden Linux might also be interesting for you.

Taggs: