Linux direct access control (DAC) is based on the user and group information: processes have user and group (real and effective), files have user/group information and access bits.
SELinux provides another layer of mandatory access control (MAC) layer over DAC, so that even the root user may not be guaranteed all the privileges.
SELinux is transparent to applications. It is an implementation of Linux Security Module (LSM). LSM provides hooks inside the Linux kernel so that SELinux is called when a hook is triggered. LSM is executed after DAC.
SELinux Cares About Context
SELinux does not care about the ownership of a process. The context of a process
matters instead. Thus SELinux is a label-based (context) control system. The
same binary launched from different programs may have different contexts. This
is meaningful, since a web server program started by
init system will be more
trustable than one started by a user.
Now what is the context? The contexts fields include types, rules and
users and usually end with
_u, respectively. Example from
[SELinux System Administration Handbook], on a system with SELinux enabled,
# ps -eZ | grep dbus-daemon system_u:system_r:system_dbusd_t 4531 ? 00:00:00 dbus-daemon staff_u:staff_r:staff_dbusd_t 5266 ? 00:00:00 dbus-daemon
There are two same
dbus-daemon binaries running but their contexts differ,
thus SELinux can enforce different policies accordingly.
Note that SELinux user label does not change even when the Linux user has
changed, e.g. by
sudo. This explains why the privileged root user
permission denied error.
SELinux has three modes:
disabled, system boots without SELinux activation.
permissive, SELinux is activated but the access control policy is not
enforcing, SELinux is active and policy is enforced.
SELinux can be enabled or disabled by either configuration file
/etc/selinux/config or GRUB boot parameters in
/boot/grub2/grub.cfg and it
is also possible to put a specific namespace (tag) in
SELinux Access Control
SELinux has three different forms of access control: + Type Enforcement (TE) + Rule Based Access Control (RBAC) + Multi-Level Security (MLS)
Type enforcement applies to processes and resources (files, sockets, ports, etc.). Resources and processes are assigned with types as mentioned earlier.
For example, Apache processes is allowed to read file
httpd_t tag is assigned to all apache processes
httpd_sys_content_t is assigned to the
index.html file. Resources
could be files, directories, sockets, processes, ports. Here
index.html is of
file class. Corresponding to file resource, permissions predefined are: read,
write, execute, getattr, etc. So if the Apache processes are allowed to read
index.html, the rule will be
allow httpd_t httpd_sys_content_t : file read;
This rule allows all processes with type
httpd_t to read all the files tagged
The access rules are configurable by policies.
Set SELinux Context
The list of regular expressions which determines the context of files can be shown with
# semanage fcontext -l /var/run/bitlbee\.sock socket system_u:object_r:bitlbee_var_run_t:s0 /var/run/bmc-watchdog\.pid regular file system_u:object_r:freeipmi_bmc_watchdog_var_run_t:s0 ...
The file context is permanently changeable by modifying the SELinux database
semanage fcontext and applying the changes with
In SELinux, processes are also asigned with labels, i.e. domain. Child process inherits the context from its parent.
It may be needed to install package