Under... SELinux standing !
Under... SELinux standing !
Security-enhanced Linux (SELinux) is an implementation of a mandatory access control (MAC) mechanism. This mechanism is in the Linux kernel, checking for allowed operations after standard Linux discretionary access controls are checked.
Standard Linux security is a discretionary access control model (DAC).
Discretionary access control (DAC)
DAC is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root.
Users can grant risky levels of access to files they own (trust me, you don't want this to happen !!!).
Mandatory access control (MAC)
MAC provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user.
In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects.
Each user and program run by that user has complete discretion over the user's objects.
Malicious or flawed software can do anything with the files and resources it controls through the user that started the process.
If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system.
In a MAC system you can administratively define a security policy over all processes and objects.
You control all processes and objects, in the case of SELinux through the kernel.
Decisions are based on all the security relevant information available, and not just authenticated user identity.
MAC under SELinux allows you to provide granular permissions for all subjects (users, programs, processes) and objects (files, devices).
Think of subjects as processes, and objects as the target of a process operation. You can safely grant a process only the permissions it needs to perform its function, and nothing more.
SELinux implementation uses role-based access control (RBAC), which provides abstracted user-level control based on roles, and Type EnforcementÂ® (TE).
TE uses a table, or matrix to handle access controls, enforcing policy rules based on the types of processes and objects. Process types are called domains, and a cross-reference on the matrix of the process's domain and the object's type defines their interaction. This system provides extremely granular control in a Linux system.
Controlling and Maintaining SELinux
Use caution when switching policy !!!
Be careful of white space in the file /etc/sysconfig/selinux.
The code is very sensitive to white space, even trailing space.
This is what you will see... probably !
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
Of course, you may choose to set
This ensures that you are not locked out after rebooting. SELinux runs under the correct policy, but does allow you to login if there is a problem such as incorrect file context labeling.
Set the system to relabel the file system on reboot...
# touch /.autorelabel
OK ! Let's do it...
# shutdown -r now
Be patient ! Depending on your hard drive and the data you have in it, restarting will take more or less time.
Don't do something that you will regret about it later ;-)
Confirm your changes took effect with...
# sestatus -v
With the new system running in permissive mode, check /var/log/messages for avc: denied messages.
These may indicate a problem that needs to be solved for the system to run without trouble under the new policy.
What ? You don't need SELinux ? OK... Edit once again /etc/selinux/config. Then...
Setting the value to enforcing is the same as adding enforcing=1 to the kernel boot parameters. Setting the value to permissive is the same as adding enforcing=0 to the kernel boot parameters.
Setting the value to disabled is not the same as the selinux=0 kernel boot parameter (this option is not recommended). Rather than fully disabling SELinux in the kernel, the disabled setting instead turns enforcing off and skips loading a policy.
The command line kernel parameter overrides the configuration file.
Be careful when disabling SELinux !
If you boot with selinux=0, any files you create while SELinux is disabled do not have SELinux context information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option emergency to your kernel boot parameters.
All the above tests were made in a Fedora Core 5 system.