SELinux: For A Secure Web Space
Linux is a premium force in the web hosting industry, which is also achieving popularity as a PC operating system nowadays. When it comes to hosting a website, Linux web servers are primarily chosen due to their flexibility, stability and security of services. But as we all know, security of all operating systems revolve around controlling access and is hence subject to exploits. Since Linux is open source, vulnerabilities can be easily exploited by potential attackers to gain illegal access to a web server. As a measure of securing Linux at every level, from the kernel up, Security Enhanced Linux (SELinux) was developed.
The development of SELinux or Security Enhanced Linux was initiated by the National Security Agency, the University of Utah, and the Secure Computing Corporation. The architecture was called Flask operating system, implemented with mach micro kernel.
With this article, l will explain the basics of SELinux. SELinux implements MAC [Mandatory Access Control] instead of the traditional DAC [Discretionary Access Control].
DAC and Limitations
Linux distributions normally incorporate the Discretionary Access Control (DAC) mechanism, that lets resource owners decide who can access a resource and how.
DAC implements security by denying access based on the identity of groups to which the user belongs. Using DAC, there are two user levels in the OS; Administrator and Non-administrator. The administrator is simply the root user or a user with root privileges. If a non-administrator user is to have administrative privileges, the user has to be added, either to a wheel user group or in sudoers. Most often, full privileges will have to be given to this user.
It was soon realized that DAC was not the best solution, as it gave applications the privileges of the user running them. One compromised application running as root could ultimately affect the entire web server. In a compromised web server, through a global writable file or directory, malicious codes or softwares could get administrative privileges using setuid.
All these reasons led security experts to develop Mandatory Access Control (MAC), which grants access to resources as defined by a security policy, regardless of the user running the application.
MAC [Mandatory access control]
This is also called non-DAC. In simple terms, MAC uses the principle of least privilege, where processes/objects or users have the minimal privileges that are required for their normal functioning. Administrators can define security policies for subjects/objects, to interact with other parts of the system.
LSM (Linux Security Modules)
This framework was developed to support a variety of computing security models in the Linux kernel. LSM was released under GNU-GPL and is now part of all the latest Linux kernels. LSM enables the implementation of MAC, with least amount of changes in the Linux kernel.
In a web server, SELinux is based on two technologies: Type Enforcement and RBAC [role-based access control ]. Type enforcement, which is described in a policy file, defines a type for each subject/process and object. Each file has security labels and these labels contain the type of policy. They are stored in xattrs [called extended attributes]. By default, all interactions between subjects and objects will be denied in SELinux.
Using the policies, a matrix can be derived that defines the interactions of each process used by the Type Enforcement.
How to Enable/Disable SELinux?
SELinux is available in all major distros by default. During the installation of Linux [RedHat/Fedora], you will be prompted to enable or disable SELinux along with the firewall option.
In Fedora/Redhat, SELinux can be enabled or disabled by editing the file
“/etc/selinux/config “. There are 3 modes for the parameter SELINUX. They are:
SELINUX = disabled
SELINUX = permissive
SELINUX = enforcing
The values ‘
disabled‘ and ‘
permissive‘ are mainly used to disable SELinux in a server.
The value “
disabled” will completely switch off SELinux. All operations will be allowed to work normally and the policies of security attributes will not have any effect on the services or files.
The value “
permissive” will allow all operations, but logs those which can be denied using the policy. All warnings get logged, thereby allowing the audit of each process interaction for creating corresponding policy rules.
To disable SELinux in a live server temporarily, you may change the value of
/selinux/enforce to zero.
echo 1 >/selinux/enforce : Enable
echo 0 >/selinux/enforce : Disable
cat /selinux/enforce : Check status
If the Linux distro used in a web hosting server does not have the file
/etc/selinux/config, SELinux can be disabled or enabled by adding the line “enforcing=0” or “enforcing=1” to grub.conf under /boot of the web server.
Re-enabling SELinux in a server needs relabeling of all files in the server. The server needs to be booted in permissive mode and then the following command has to be run to relabel the files.
This can be also achieved by creating a file named autorelabel [like autofsck]. It will be processed in the next reboot of the web server.
After getting the system fully labelled, the status needs to be changed to “
enforcing”, to make SELinux fully functional.
SELinux Boot Process
Unlike the normal boot process, the following are the steps performed during the boot up of an SELinux enabled kernel.
- The kernel will run as
kernel_tand all applications will use it.
/sbin/initprocess which is also running as
kernel_twill load the policy file to the kernel.
- After the init load, it will be re-executed and gets labelled as
- When kernel_t executes
init_exec_tapplications, it will be switched to
init_t,which is a rule hard coded in the kernel. Now init will be running as
init_texecutes an application, say
sysinitwhich is labelled as
initrc_exec_t, the transition to
initrc_execwill be performed as per the rule.
- This process will continue.
For all other processes, the kernel will check the policy file and grant or deny access, as per the rules written. The denied messages will be logged for reference.
To know more about policy files, refer the following links.
If a program is compromised, SeLinux does not permit further access to the system, rather, it restricts access to the infected system. SELinux also protects data from being shared incorrectly. SELinux can also be used with distros other than Redhat and Fedora – Debian [as of etch release], Ubuntu [from version 8.x], Yellow Dog Linux, Gentoo, Slackware are supported.
With SELinux in place, it is possible for web hosts to offer a better and highly secure web space. There are other security models too, used in Linux, instead of SELinux. Grsecurity, AppArmor, Rule Set Based Access Control [RSBAC], PaX are a few of them.
About the Author :
Suresh M, has been working with Bobcares for over three years and he is an expert in Parallels pro panel, Ensim and Linux Server Administration. His other areas of interest are Astronomy and Photonics. When he gets free time, Suresh loves listening to music and surfing the net for technical articles.