SELinux Part 1 — SELinux Basics

This article is an introduction to SELinux in Red Hat or CentOS distributions. I will publish deeper articles about SELinux.

SELinux is a security mechanism between subjects and objects. Subjects are users or processes, objects are files or ports. This mechanism provides a more granular access control than DAC. SELinux is a MAC(Mandatory Access Control) mechanism. As you know DAC(Discretionary Access Control) is a basic control mechanism in Linux/Unix systems. It is mostly about ownerships and access modes of files(chmod, chown). If an access can be denied by DAC, SELinux doesn’t move in this access. SELinux works if an access passes from DAC.

SELinux works with labels. All processes, users, roles and files have labels. This four label together is called SELinux context. When you add “-Z” to a standard display command(ps, ls…etc.)you can see context information as “user label:role label:type label:level label”.

SELinux has three running modes; disabled, permissive and enforcing. When disabled as you guess SELinux doesn’t work. When permissive it runs in logging mode, you can say what would be denied if it works. When enforcing it can prevent running of a process if it there is a conflict with SELinux rules. Current mode may be displayed with getenforce and may be changed with setenforce. Reboot is required after mode changes.

Configuration is stored in /etc/selinux/config file. This file have two parts, first is SELinux running mode, second part is about policies. SELinux modes are explained above. Policy part is set targeted as default. targeted means SELinux considers type labels in SELinux context informations. minimum is a minimized version of targeted. mls considers level label, it applies very granular and hard SELinux policy. mls mostly is used in government or military institutions and it isn’t subject of these articles.

To see active policy and mode;

SELinux supported types are growing continuously, new types may be added when you update operating system. To see number of supported types;

Type label refers domains for processes. Multiple processes may have same domain. SELinux policies are made up about which domain should access to which type. If there is no policy, it is denied. Here is an example about sshd process and sshd file. sshd_t is a domain and sshd_exec_t is file type.

There is an unconfined label for users, roles and types. It means that related user, role or type isn’t restricted by SELinux. SELinux mostly considers processes which uses network and which starts at boot time, because those are more risky from security perspective. For that reason SELinux policies firstly aims to cover this kind of processes or files. Most of them have labels and policies but others such as user defined processes or executables are labeled as unconfined. But labels are increasing day by day.

When SELinux is in enforcing mode and there is no policy about an access, it is prevented as default(for example if httpd process tries to access any folder without /var/www/html). In that case if access is required, a new policy should be added or policy should be disabled. Active policies of SELinux are cached and those policies are queried during runtime. It is called Access Vector Cache(AVC).