[TBD]Some useful info about selinux

Introduction

Laymen explanation

If you wanted to created web server for your need, you might needed to give access to few pages without login. To allow remote anonymous access to a Web server, firewall ports must be opened. However, this gives malicious users an opportunity to crack the system through a security exploit, if they compromise the Web server process and gain its permissions — the permissions of Apache user and Apache group, which user/group has read write access to things like document root (/var/www/html), as well as the write access to /var, /tmp and any other directories that are world writable. This seems terrifying. But who will help to avoid such attacks? Apache itself can't. You might ask why? It is because apache itself is running as a service under the umbrella of operating environment (which is Linux). So, here Linux comes for help in the form of SELinux.

Technical explanation

Security-Enhanced Linux is an additional layer of system security. The primary goal of SELinux is to protect the users’ data from system services that have been compromised. Most Linux administrators are familiar with the standard user/group/other permissions security model. This is a user and group based model known as discretionary access control. SELinux provides an additional layer of security that is object based and controlled by more sophisticated rules, known as mandatory access control.

How it works

Under discretionary access control, every process can access any object. But when SELinux enables mandatory access control, then a particular context is given to an object. Every file, process, directory and port has a special security label, called a SELinux context. A context is a name that is used by the SELinux policy to determine whether a process can access a file, directory or port. By default, the policy does not allow any interaction unless an explicit rule grants access. If there is no rule, no access is allowed.

SELinux has customized enforcing states-

enforcing(good for enforcement),

permissive(good for troubleshooting),

disabled

SELinux is not ..

It is not replacement for password, firewall or anti-virus

SELinux is

SELINUX is all about labelling. It puts label on processes, users and files. It makes decision based on these labels.

It provides policy based access control. Policy is based on

• Role Based Access Control

• Multi Level Security

Useful commands

Useful link: http://opensourceforu.com/2018/01/reduce-security-risks-selinux/

Useful points

• For newly created files, the SELinux context of a file’s parent directory determines the initial SELinux context. The context of the parent directory is assigned to newly created files.

• If a file is created elsewhere and the permissions are preserved (as with mv cp -a), the original SELinux context will be unchanged. the permission is preserved by using the mv command while the cp command will not preserve the permission, which will be the same as that of the parent directory. To restore the permission, run restoreconwhich will give the parent directory permission to access the files.