Selinux why

If an attacker manages to exploit a weakness in e. SELinux further restricts this by limiting them to actions and file contexts that their SELinux domain has access to. SELinux in the Real World. Real life SELinux security example?

I think the term Mandatory Access Control sums it up quite nicely. SELinux gives you a more secure system through a more secure kernel, in large part due to a MAC implementation. SELinux does a good job at exposing the sheer complexity of an entire Linux system. An interesting aspect of security is the question "what's it doing? If you are running a web server and it has just been staying up, then you might not know a couple of exploits were even tried against your system.

As for private companies, I don't know. If they need the integrity that SELinux brings to the table, then they should. As for Government, there are public sources listing of government projects and the like that seem to point to that MAC is being used, and possible quite heavily.

Government systems, depending on deployment and what information a system holds, have to meet certain criteria before being used. In the end security is really risk management and choosing the right level of effort. Also security is an on going effort, not something you merely turn on. Sign up to join this community.

The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type. You can force the system to automatically relabel the filesystem by creating an empty file named.

If the system has too many errors, you should reboot while in permissive mode in order for the boot to succeed. If a sysadmin is less familiar with the command line, there are graphic tools available that can be used to manage SELinux.

SELinux provides an additional layer of security for your system that is built into Linux distributions. It should remain on so that it can protect your system if it is ever compromised. With DAC, files and processes have owners. You can have the user own a file, a group own a file, or other, which can be anyone else.

Users have the ability to change permissions on their own files. The root user has full access control with a DAC system. Even if the DAC settings on your home directory are changed, an SELinux policy in place to prevent another user or process from accessing the directory will keep the system safe. SELinux policies let you be specific and cover a large number of processes. You can make changes with SELinux to limit access between users, files, directories, and more.

When you get an error in SELinux there is something that needs to be addressed. It is likely 1 of these 4 common problems:. There are hundreds of settings that can turn SELinux capabilities on or off, and many are already predefined. You can find out which booleans have already been set in your system by running getsebool -a.

Sign up for our free newsletter, Red Hat Shares. Open hybrid cloud Support Developers Partners Start a trial. Enter your keywords. Featured links. When web server accesses files, SELinux checks whether the web server has access right on targeted file or not. In above example test2. We have three possible solutions of above problem; create the new file in document root, use copy operation or update the security context of moved file. The chcon command updates context directly in file system.

This is the fastest way to update the SELinux context. The chcon command uses following syntax: -. But wait we are not going to use this command.

This command may lead us to failure in RHCE exam. As this command updates security context in file system not in SELinux policy. Everything which we changed with this command will be overwritten when the file system is relabeled or original contexts are restored from policy to file system. Move back in home directory and create a dummy file with some dummy data.

Note down its type context. Now run restorecon command and view the context again. Is change still preserved? Nope… its gone. File got its original security context back. This is what happen when we update security context with chchon command.

But what is the alternative? And the answer is semanage command. As we discussed earlier, SELinux has policy rules for all objects in Linux. Usually these rules define default locations for subject user, process, application , from where the subject can access the associated files. So, when we create a new file, SELinux compares the location with its database to figure out, which subject user, process, application can access files form this location, based on result SELinux applies appropriate security contexts.

The restorecon command also do the same job. For any reason if default security context of a file is changed, restorecon command will restore the original security context back to file.

File location plays major role in this process. Default security contexts work with default location. As we can see in above figure, restorecon command uses location or in simple word the parent directory to determine the default security context for a file. So, if a process is running with default location, restorecon command is only what we need to set the correct type context. For instance, if our web server is running with default document root, regardless how we put the files there, all we need is following command to set the correct type context.

In real world things are not so easy. To meet the custom requirements, administrators customize Linux in several ways. For example, they may use a separate partition for user data or web data.

In that case, we have to tell the SELinux that which directories or files belong to which subject. For this purpose, semange command is used. Unlike chcon , the semanage command does not write anything in file system. Instead of file system the semanage command updates SELinux policy.

As we know SELinux applies contexts on file system only at startup, so any change which we made in policy will apply at next time when SELinux will relabel the system. Luckily, we have restorecon command which can do this job in run time on file system or a portion of file system. In our previous example, we worked with default web server setting. Now suppose due to any reason we want to use a non-default document root for our web server. If we want to use something which is not default, then we have to update the corresponding setting in main configuration file.

Since configuration file has been changed, we have to restart the web server so it can run with new configuration. So, what went wrong? Well…… we updated the new document root in web server configuration file. But we did not tell the SELinux about this change. Notice the type context which file testwebpage. Above two commands are very important for RHCE exam.

This way whenever you change default root of any service, never forget to update the SELinux type context with following commands.

Otherwise service will not be able to fetch the files or directories from new document root. If you think above commands are hard to remember, you can use man page of semanage-fcontext command.