Security-Enhanced Linux (SELinux) is a security module integrated into the Linux kernel that provides a mechanism for enforcing mandatory access controls (MAC). Unlike traditional discretionary access controls (DAC), which rely on user permissions, SELinux applies security policies that define what actions processes and users can perform on a system. This results in a more robust security model, minimizing the risk of privilege escalation and unauthorized access.
Why Use SELinux?
SELinux enhances the security of Linux systems by enforcing strict access controls. It is particularly useful for environments where security is a priority, such as servers, enterprise systems, and containers. Key benefits include:
- Least Privilege Enforcement: Ensures processes and users have only the necessary permissions.
- Damage Containment: Limits the impact of a compromised application by preventing it from accessing unauthorized resources.
- Policy-Based Control: Uses predefined and customizable policies to govern system behavior.
- Protection Against Zero-Day Exploits: Mitigates certain attacks by restricting what processes can do, even if they are exploited.
SELinux Modes
SELinux operates in three different modes:
- Enforcing: The strictest mode, where SELinux actively enforces policies and denies unauthorized actions.
- Permissive: Logs policy violations but does not enforce them, useful for troubleshooting and policy development.
- Disabled: SELinux is turned off completely, removing all access controls.
You can check the current SELinux mode with:
sestatus
To temporarily switch to permissive mode, use:
sudo setenforce 0
To re-enable enforcing mode:
sudo setenforce 1
To make changes permanent, edit the SELinux configuration file at /etc/selinux/config and modify the SELINUX= line.
SELinux Contexts and Labels
SELinux uses labels to enforce security policies. Every file, process, and network port has a security context consisting of:
- User (e.g.,
system_u) - Role (e.g.,
object_r) - Type (e.g.,
httpd_tfor web server processes) - Sensitivity (optional, used in Multi-Level Security environments)
You can view the SELinux context of a file with:
ls -Z /var/www/html/index.html
To change the context, use the chcon command:
sudo chcon -t httpd_sys_content_t /var/www/html/index.html
For a more permanent change, use semanage:
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
sudo restorecon -Rv /var/www/html
Managing SELinux Booleans
SELinux allows toggling specific security features using Booleans. These are adjustable settings that modify how policies are applied. You can list available Booleans with:
semanage boolean -l
To check and modify a Boolean setting, use:
getsebool httpd_can_network_connect
sudo setsebool -P httpd_can_network_connect on
Handling SELinux Denials
When SELinux blocks an action, it logs the event. These logs can be reviewed using:
sudo journalctl -t setroubleshoot
or by checking /var/log/audit/audit.log:
sudo ausearch -m AVC,USER_AVC -ts recent
To generate human-readable reports and suggested fixes, use:
sudo sealert -a /var/log/audit/audit.log
Conclusion
SELinux is a powerful security tool that enhances system protection through mandatory access control policies. While it can seem complex at first, understanding its modes, labels, and policy management tools makes it a valuable addition to any Linux system. By enforcing least privilege access and containing security threats, SELinux plays a crucial role in strengthening Linux-based environments.