Bobcares

Why disable SELinux (I/III)

PDF Header PDF Footer

The purpose of this article is to cover basic concepts and operations of administering SE Linux on an RHEL or Fedora system. This was penned to make an intro level HOWTO for getting started with SE Linux. My friend has already given an intro for this topic and I am just covering more on administering policies.

Many of us have the feeling that SELinux is too complex and forces too many changes on fundamental Linux concepts. This article covers the more basic aspects of SE Linux, and it covers topics like :

* How to use all the administrative commands that relate to SE Linux

* Difference between targeted and strict policies

* Some troubleshooting tools, that come in handy.

So I hope after going through this article, you will think of looking at SELinux as a solution rather than a problem. Yes, I have seen many forums posts that suggests disabling SELinux as a ready-made fix. Believe me, SELinux is there for a reason, and the fix for the problem probably lies in effective policy administration.

History

SELinux was developed by United States National Security Agency, NSA as a research project. Traditional linux leaves access control to the ‘system user’. User decides who can access their files, based on group membership. With the ACL option turned on in the file system, user can fine grain this control.

With SELinux, a concept called Mandatory Access Control (MAC) is introduced. We let the Security Administrator decide who can do what to which files. Users are put in domains and even if a user wants to share a file with another user, this will fail unless they are put in same domain. A Security administrator can decide that normal users cannot see certain files. If a user account is compromised the attacker cannot access these files. Even root account is under this.

Want to know more about MAC and DAC comparison? Refer to SELinux: For A Secure Web Space.

Architecture

In the SELinux environment, each system process(subjects) lives in a domain. Domain is an isolated sandbox kind of an environment, that defines the capabilities of that subject(process). Capabilities like say the files that a process can access.

Every object(files, directories, network-sockets) and every subject(process) has a security context. This security context has three attributes:

* User Identity

* Role

* Type
Typically the security context is displayed in the following format.

 user_identity:role:type:sensitivity:category

Security Policy and Context Explained

A Security policy is a set of rules that guide the SELinux engine. Security policy controls what SELinux identity, a process(subject) is assigned, when it starts. The identity determines which roles are accessible to a particular process. Roles are used to determine which domains the process can switch to.
We will be focusing on type based enforcements, rather than role based models, as that is what is generally used by an administrator.
As mentioned earlier, three SELinux security attributes user, role and type, together make up the security context.

 user_identity:role:type:sensitivity:category

User identities usually end in ‘_u’. eg: system_u
Roles are described with an ‘ _r’. eg: object_u
Processes(subjects) are executed in “domains”. Resources(objects) related to the process live in protected domain which are named as ‘types’. Normally subjects and objects which are associated with a domain or a type usually end with an ‘_t’. eg: httpd_exec_t (process/domain) or httpd_t (file/type).
Processes relate to domains, and objects(say files) relate to types. And both these are represented in a context with an “_t”.
More on Policy administration, and troubleshooting to follow…

Jimmy


About the Author :

Jimmy Works as Senior Software Engineer in Bobcares. He joined Bobcares back in Jan 2007. During his free time, he watches movies, and enjoys reading.


Co-Authored by Sankar.H

0 Comments

Get featured on the Bobcares blog and share your expertise with a global tech audience.

WRITE FOR US
server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

GET UP TO 25% OFF

cPanel Support

Spend time on your business, not on your servers.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management & end-user tech support to us, and use that time to focus on the growth and success of your business.

TALK TO US Or click here to learn more.

Speed issues driving customers away?
We’ve got your back!