All About SELinux

sohail
sohail

Table of Contents

Almost all of us have heard about SELinux. It stands for Security-Enhanced Linux, a set of kernel modifications, patches, tools that separates the security decision security policy. In simpler terms, the control of access to security policies including Mandatory Access Control (MAC) away from the security policies itself.  

What Is SELinux?

I will define these terms in a simpler way now. SELinux actually works on certain policies. These policies control how certain apps, services, users and others can access files, network and all other stuff. So, we can see that SELinux controls the access among various components acting more like a door. One can access the required resources only if he is having access or better-called privilege to access that file.

Now, normally this access or so-called privilege to grant access should be controlled by that resource itself which can be easily manipulated. Here SELinux comes in between taking the control to grant that access from that resource to itself hence separating the security decision from the security policies of that resource itself.

Here is an example to understand it better, assume that you are using a web browser to read this article right now. Can this web browser automatically access your certain picture located in a directory in your internal storage? The answer is No! You will have to manually locate and allow access to that directory to your browser in order to make your browser access that picture. This is an example that you have access to your files but not your client unless you give it permission.

​Your web browser asks you if you want to download and save a certain file into a disk, your gallery app on android asks you to give permission to access your storage. These are some examples of policy control of SELinux. By default, there are different policies that ship with your respective OS. These policies can be edited if you want, mostly differ from OS to OS. You can change these policies at your will if you are an advanced user. ​

Policies

SELinux was created by NSA (Yeah! The government organization that pulls stunts on the public like messing with their privacy) after significant research which indicated that most systems are insecure as some developers don’t spend enough time in making application secure (or users run malicious apps, malware, trojan on their system) and all other reasons which lead to development of SELinux. It is open source and developed continuously by various users. As I said earlier, SELinux works on policies. These policies are written mostly by Tresys Technology except individual developers. You can also contribute to policy development if you want or can create your own policies for your own use.

security enhanced linux selinux

SELinux Status

SELinux has 3 states overall i.e. Enforcing, Permissive and Disabled respectively. Let me explain this to you what they are and how they are important to you.

The first one is Enforcing. This status means that SELinux is implemented and all policies are enforced. This is a secure state as an app, service can’t access your resource without your intervention as SELinux will prevent it unless there is a rule in the policy present in SELinux. Hence, System is in the most secure state.

The second one is Permissive. This status indicates that SELinux is partially active. It will allow access to the resource if there is a policy, but will also allow access even if there isn’t rule. This status is considered insecure and is only used when a system/app/service is in the early stages as it can lead to system instability.

The main difference between Enforcing and Permissive is that Enforcing logs as well as enforces policies but Permissive only logs but doesn’t enforce policies.

Disable SELinux status means that it’s inactive and the system is completely insecure. Neither logging nor policies are enforced.

However, it is still Linux and not that insecure as you will assume. There are thousands of developers always working on Linux Kernel which ensures that it is safe and secure from different kinds of attacks, bugs.

getenforce selinux

You can check the SELinux status of your machine easily by using command “getenforce” or “sestatus” without quotes.

sestatus selinux command

Installing SELinux

If you are using Fedora, CentOS or any other distro updated in near present there are most chances that SELinux is shipped and enabled by default. As it is developed widely among Linux community almost every present distro is compatible with it like Ubuntu, Linux Mint, Fedora, Arch, and others. Though latest version like beta or alpha are exceptions and they mostly contain SELinux is permissive or Disabled.

Also in case, your OS doesn’t have SELinux installed by default you can install them manually by using this command.

sudo apt-get install selinux 

However, there are some other distros too that don’t ship SELinux but ships a popular alternative called AppArmor. AppArmor and SELinux work in different ways. You can also install App Armor if you want. I personally use AppArmor due to different facts. However, SELinux is considered to more secure, mature than AppArmor and is more utilized.  

Important Links

SELinux Wiki, AppArmor and SELinux (Linux Mint), SELinux (Arch)  

Conclusion

SELinux is an important part of the security of Linux based distros. Even Android started shipping its builds from Lollipop with SELinux Enforce. I recommended that you should use SELinux on your machine and keep it in enforce mode as long as possible. You can change to permissive mode if some app, service or system misbehaves and then add certain exceptions in policy and switch to enforce mode again.

Although SELinux was developed by the NSA, a large group of people is working on it and it is continuously becoming better. Use it, be safe and keep others safe.

ReviewsUncategorizedtutorial