Security-Enhanced Linux facts for kids
 |
|
SELinux administrator GUI in Arch Linux
|
|
| Original author(s) | NSA and Red Hat |
|---|---|
| Developer(s) | Red Hat |
| Initial release | December 22, 2000 |
| Stable release |
3.6 / 13 December 2023
|
| Written in | C |
| Operating system | Linux |
| Type | Security, Linux Security Modules (LSM) |
| License | GNU GPL |
Security-Enhanced Linux (SELinux) is a special security part of the Linux kernel. Think of the Linux kernel as the brain of a computer's operating system. SELinux helps control who can access what on a computer. It uses very strict rules called mandatory access controls (MAC).
SELinux is made of changes to the kernel and tools that work with it. These have been added to many different Linux distributions (versions of Linux). Its design keeps security rules separate from how they are enforced. This makes it easier to manage security. The main ideas behind SELinux came from earlier projects by the United States National Security Agency (NSA).
Contents
What is SELinux?
The NSA Security-enhanced Linux Team describes SELinux as a set of updates for the Linux kernel. These updates add a strong and flexible way to control access (MAC) to the main parts of the kernel. It helps keep information separate based on how secret or important it is.
This helps stop people from changing things they shouldn't. It also prevents problems caused by faulty programs. SELinux limits the damage that bad or broken applications can do. It comes with example security rules to help keep systems safe.
How SELinux Protects Your Computer
A Linux system with SELinux uses strict rules to control programs and services. It also controls access to files and network connections. By limiting what programs can do, it reduces harm if they have problems. For example, if a program has a bug, SELinux can stop it from affecting other parts of the system.
This security works differently from the usual Linux security. It doesn't rely on a "root" superuser (the main administrator). This means it avoids some common security weaknesses found in older Linux systems.
SELinux vs. Regular Linux Security
Without SELinux, a Linux system's safety depends on everything being perfect. This includes the kernel, all important applications, and their settings. If one part has a flaw, the whole system could be at risk.
With SELinux, the system's safety mostly depends on the kernel and its security rules. Even if a program has a problem, SELinux can keep it from affecting the rest of the system. This means other programs and the system as a whole stay safer.
SELinux combines different security ideas. These include mandatory access controls, ways to protect data integrity, and role-based access control (RBAC). RBAC means users get permissions based on their job or "role."
The History of SELinux
Early work on strict access controls for UNIX systems started in the late 1980s. The NSA's Trusted UNIX (TRUSIX) Working Group worked on this from 1987 to 1991.
SELinux was created to show how useful mandatory access controls could be for Linux. It also showed how these controls could be added to Linux. At first, you had to manually add SELinux updates to the Linux kernel. Later, SELinux became a standard part of the Linux kernel in the 2.6 series.
The NSA, who first developed SELinux, shared it with the open source community. This happened on December 22, 2000, under the GNU GPL license. It was added to the main Linux kernel on August 8, 2003. Other groups like Red Hat and Network Associates also helped a lot.
SELinux uses ideas from something called the Flux Advanced Security Kernel (FLASK). FLASK helps enforce many types of strict access control policies. These policies include those based on "type enforcement" and "role-based access control."
Users, Policies, and Security Contexts
In SELinux, users and roles are not always the same as regular system users. For every user or program, SELinux gives it a special "context." This context has a username, a role, and a domain (or type). This system is very flexible. Usually, many real users share the same SELinux username. Most access control is managed through the "domain" tag.
The rules for when a program can enter a certain domain are set in the policies. You can use the runcon command to start a program with a specific context. However, SELinux might stop this if the policy doesn't allow it.
Files, network connections, and other hardware also have an SELinux context. This context includes a name, a role (rarely used), and a type. For file systems, matching files to security contexts is called "labeling." This labeling is set in policy files. You can also change it manually without changing the main policies. Hardware types are very detailed. For example, bin_t means all files in the /bin folder. postgresql_port_t means the PostgreSQL port (5432).
SELinux adds a -Z option to commands like ls and ps. This lets you see the security context of files or programs.
How Policies Work
Typical policy rules are clear permissions. For example, they say which domains a user must have to do certain things with a target. This could be reading a file, running a program, or connecting to a network port. More complex rules are also possible, involving roles and security levels.
A typical policy has a labeling file, a rule file, and an interface file. These define how domains change. These three files are put together using SELinux tools to create one policy file. This policy file can then be loaded into the kernel to make it active. You can load and unload policies without restarting the computer.
Policies are often tested first in "permissive mode." In this mode, violations are recorded but allowed. This helps find out what an application needs to do. The audit2allow tool can then create new rules to allow these actions.
Key Features of SELinux
SELinux has many features that make it a powerful security tool:
- It clearly separates security rules from how they are enforced.
- It has clear ways for programs to ask about and use security rules.
- It works with different security policies and languages.
- It can apply labels and controls to individual parts of the kernel.
- It allows for changes to security policies.
- It has separate ways to protect system integrity and data privacy.
- It offers flexible policy options.
- It controls how programs start, run, and inherit permissions.
- It controls file systems, folders, files, and open file connections.
- It controls network connections and messages.
- It controls the use of special "capabilities" (powers) programs might have.
- It uses a cache (Access Vector Cache or AVC) to quickly make access decisions.
- It uses a "default-deny" policy. This means anything not clearly allowed is blocked.
Where is SELinux Used?
SELinux has been used in Android phones since version 4.3.
Many free Linux versions use SELinux. Fedora was one of the first, including it by default since Fedora Core 2. Other versions like Debian (since version 9 Stretch) and Ubuntu (since 8.04 Hardy Heron) also support it. openSUSE and SUSE Linux Enterprise also include SELinux.
SELinux is also popular in systems that use linux containers. These are like small, isolated environments for running applications. SELinux helps keep these containers separate and secure from the main system.
SELinux has been part of Red Hat Enterprise Linux (RHEL) since version 4 (2005). It is also in other systems based on RHEL, like CentOS and AlmaLinux.
How SELinux is Used
SELinux can control exactly what each user, program, and service can do on a system. It's often used to protect services like database programs or web servers. These services have clear rules about what data they can access. If one of these services gets hacked, SELinux can limit the damage it can cause.
There are many command-line tools to manage SELinux. Some examples include:
- chcon
- restorecon
- runcon
- setenforce
- getenforce
Examples of SELinux Commands
To turn on SELinux's enforcing mode (where it actively blocks things):
setenforce 1
To check if SELinux is active and enforcing:
getenforce
SELinux vs. AppArmor
SELinux is one way to limit what software can do. Another popular option is AppArmor. AppArmor is available on systems like SUSE Linux Enterprise Server (SLES) and Debian. AppArmor and SELinux are very different.
One key difference is how they identify files. AppArmor uses the file's path (like its address). SELinux uses a unique ID for the file. This means if you create a new link to a file, AppArmor might allow access through the new link, even if the original was blocked. SELinux would still block it.
AppArmor is generally simpler to manage. SELinux offers more detailed control over many more types of actions. For example, SELinux can control things like connecting to network ports or loading parts of the kernel. AppArmor has a smaller set of operations it can control.
SELinux also supports more advanced security ideas, like "multilevel security." This helps protect very sensitive data. SELinux uses special files and extended attributes for its settings. AppArmor uses regular text files.
Other Similar Systems
Other ways to isolate processes include virtualization. This creates virtual environments for applications. For example, the OLPC project used this to run applications in isolated "sandboxes." The NSA has also used SELinux ideas in Security-Enhanced Android.
General Dynamics offers PitBull Trusted Operating System. This is an improvement for Red Hat Enterprise Linux that adds multilevel security (MLS).
Multi-Category Security (MCS) is an addition to SELinux for Red Hat Enterprise Linux. It lets users label files with categories. This adds even more ways to control access, beyond the usual rules. Categories create extra compartments within security levels used by MLS.
See also
In Spanish: SELinux para niños
- AppArmor
- Astra Linux
- Red Star OS
- Rule Set Based Access Control (RSBAC)
- Simplified Mandatory Access Control Kernel
- Solaris Trusted Extensions
- Tomoyo
- TrustedBSD
- Unix security
- Qubes OS
