What is SELinux?
SELinux is a Linux security feature that allows system administrators to restrict the capabilities of individual applications. SELinux is based on the principle of mandatory access control (MAC), which means that each application should only have access to the resources that it needs to function properly and nothing more. This way, even if an application is compromised by a malicious attacker, the damage is limited to the scope of the application and does not affect the rest of the system.
SELinux works by enforcing security policies on applications. Security policies are rules that specify what actions an application can or cannot perform, such as reading or writing files, accessing network sockets, executing commands, etc. SELinux policies are defined in binary files that are stored in /etc/selinux/targeted/policy/ directory. Each policy file corresponds to a set of applications and has a name that matches the policy type. For example, the policy file for targeted policy is policy.33.
SELinux policies consist of several components, such as contexts, types, domains, roles, and rules. The most important component for SELinux is type enforcement, which is the part of the policy that defines whether a process running with a certain type can access a file labeled with a certain type. Types are logical names that identify the security properties of processes and files. Types end with _t. For example, the type name for the web server is httpd_t. The type name for files and directories normally found in /var/www/html/ is httpd_sys_content_t. The type name for web server ports is http_port_t.
SELinux labels every process and file with a security context, which is an identifier that contains the type information and other attributes, such as user, role, and level. Security contexts are in the format user:role:type:level (level is optional). For example, the security context for the web server process is system_u:system_r:httpd_t:s0. The security context for files and directories normally found in /var/www/html/ is system_u:object_r:httpd_sys_content_t:s0.
SELinux uses the security contexts to enforce the type enforcement rules, which are statements that allow or deny access between types. For example, the following rule allows the web server process (httpd_t) to read files and directories with a context normally found in /var/www/html/ and other web server directories (httpd_sys_content_t):
allow httpd_t httpd_sys_content_t:file read;
SELinux is enabled by default on some Linux distributions, such as Red Hat Enterprise Linux and Fedora. To check the status of SELinux, one can use the sestatus command, which shows the mode and the policy type of SELinux. The mode can be either enforcing or permissive. Enforcing mode means that SELinux will block any actions that violate the policy and log them to the system audit. Permissive mode means that SELinux will only log the violations but not block them. This is useful for testing and debugging purposes. To change the mode of SELinux, one can use the setenforce command, followed by the mode name. To reload the policy after modifying it, one can use the restorecon command with the -R option. To disable SELinux completely, one can use the selinux=0 kernel parameter at boot time.
Sounds a lot like AppArmor. What's the difference?
AppArmor and SELinux are two Linux security modules that aim to enhance the security of Linux systems by enforcing mandatory access control (MAC) policies on applications. MAC policies are rules that specify what actions an application can or cannot perform, such as reading or writing files, accessing network sockets, executing commands, etc. However, AppArmor and SELinux have some differences in terms of their design, implementation, and features. Here are some of the main points of comparison between them:
- Access control mechanism: AppArmor uses security profiles based on paths, while SELinux uses security policies based on file labels. This means that AppArmor identifies applications by their executable paths, while SELinux identifies applications by their file system labels. For example, the policy file for Firefox browser in AppArmor is
/etc/apparmor.d/usr.bin.firefox, while the policy file for Firefox browser in SELinux is/etc/selinux/targeted/contexts/files/file_contexts.bin. - Availability and compatibility: AppArmor is available for any Linux distribution, but it is mainly used on SUSE and Ubuntu systems. SELinux is also available for any Linux distribution, but it is primarily used on Red Hat Enterprise Linux (RHEL) and Fedora systems. AppArmor is implemented in the Linux kernel and is thus more efficient than SELinux, which is implemented as a loadable kernel module. However, SELinux is more compatible with other Linux security features, such as namespaces, cgroups, and seccomp.
- Difficulty and flexibility: AppArmor is generally considered easier to learn, set up, and administer than SELinux, as it has a simpler and more intuitive syntax and commands. AppArmor also has a shorter learning curve, as it allows users to create and modify policies in complain mode, which logs violations but does not block them. SELinux, on the other hand, is more complex and less user-friendly, as it requires users to understand the concepts of contexts, types, roles, and domains. SELinux also has a stricter enforcement mode, which blocks violations by default. However, SELinux is more powerful and flexible than AppArmor, as it provides more granular and fine-grained control over applications and resources. SELinux also supports multi-level security (MLS) and multi-category security (MCS), which allow users to assign different levels and categories of sensitivity to files and processes.
- Level of protection: Both AppArmor and SELinux provide a high level of protection for Linux systems, as they can prevent or limit the damage caused by malicious attacks or compromised applications. However, the level of protection depends on the quality and accuracy of the policies that are defined for the applications. AppArmor and SELinux both have default policies for common applications, such as web servers, databases, and browsers, but they may not cover all the possible scenarios and use cases. Therefore, users need to customize and update their policies according to their specific needs and preferences. AppArmor and SELinux also have different approaches to policy enforcement: AppArmor works on the principle of granting access first, then applying restrictions, while SELinux works on the principle of denying access by default, then granting exceptions. This means that AppArmor is more permissive and less secure than SELinux, but also more flexible and less intrusive.
Read the similar overview about AppArmor here to have a better understanding of both!
Markus
Conclusion
SELinux is a powerful and flexible security feature that can help protect Linux systems from malicious attacks. However, it is not a silver bullet and it does not eliminate the need for other security measures, such as keeping the system and the applications updated, using strong passwords, avoiding untrusted sources, etc.
SELinux is only as effective as the policies that are defined for the applications. Therefore, it is important to understand the functionality and the requirements of the applications and to write policies that are appropriate and accurate.
Markus
