Linux.com

Home Learn Linux Linux Answers What is SELinux and how does it work?
Answers
  • NSA Security-Enhanced Linux
    [url]http://www.nsa.gov/selinux[/url]

    To put it as simply as possible, SELinux is an access control implementation for the Linux kernel.
    As an administrator, you define rules in user space and if the Linux kernel has been compiled with SELinux support, those rules will be adhered to by the kernel.
    It is an enterprise grade security enhancement that was merged into the Linux kernel in 2003.
    [url]http://en.wikipedia.org/wiki/Mandatory_access_control[/url]

    If you want a better overview, install Fedora Linux and try :

    man selinux

    in a console.

    Thanks,
    Tony

    Answered by Zanpaktou
    4 years ago
    0 0
  • And if you cannot access a system with selinux installed, here is the selinux man page from CentOS:


    selinux(8) SELinux Command Line documentation selinux(8)

    NAME
    selinux - NSA Security-Enhanced Linux (SELinux)

    DESCRIPTION
    NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible manda-
    tory access control architecture in the Linux operating system. The SELinux
    architecture provides general support for the enforcement of many kinds of manda-
    tory access control policies, including those based on the concepts of Type
    Enforcement®, Role- Based Access Control, and Multi-Level Security. Background
    information and technical documentation about SELinux can be found at
    http://www.nsa.gov/selinux.

    The /etc/selinux/config configuration file controls whether SELinux is enabled or
    disabled, and if enabled, whether SELinux operates in permissive mode or enforc-
    ing mode. The SELINUX variable may be set to any one of disabled, permissive, or
    enforcing to select one of these options. The disabled option completely dis-
    ables the SELinux kernel and application code, leaving the system running without
    any SELinux protection. The permissive option enables the SELinux code, but
    causes it to operate in a mode where accesses that would be denied by policy are
    permitted but audited. The enforcing option enables the SELinux code and causes
    it to enforce access denials as well as auditing them. Permissive mode may yield
    a different set of denials than enforcing mode, both because enforcing mode will
    prevent an operation from proceeding past the first denial and because some
    application code will fall back to a less privileged mode of operation if denied
    access.

    The /etc/selinux/config configuration file also controls what policy is active on
    the system. SELinux allows for multiple policies to be installed on the system,
    but only one policy may be active at any given time. At present, two kinds of
    SELinux policy exist: targeted and strict. The targeted policy is designed as a
    policy where most processes operate without restrictions, and only specific ser-
    vices are placed into distinct security domains that are confined by the policy.
    For example, the user would run in a completely unconfined domain while the named
    daemon or apache daemon would run in a specific domain tailored to its operation.
    The strict policy is designed as a policy where all processes are partitioned
    into fine-grained security domains and confined by policy. It is anticipated in
    the future that other policies will be created (Multi-Level Security for exam-
    ple). You can define which policy you will run by setting the SELINUXTYPE envi-
    ronment variable within /etc/selinux/config. The corresponding policy configura-
    tion for each such policy must be installed in the /etc/selinux/SELINUXTYPE/
    directories.

    A given SELinux policy can be customized further based on a set of compile-time
    tunable options and a set of runtime policy booleans. system-config-selinux
    allows customization of these booleans and tunables.

    Many domains that are protected by SELinux also include selinux man pages
    explainging how to customize their policy.

    FILE LABELING
    All files, directories, devices ... have a security context/label associated with
    them. These context are stored in the extended attributes of the file system.
    Problems with SELinux often arise from the file system being mislabeled. This can
    be caused by booting the machine with a non selinux kernel. If you see an error
    message containing file_t, that is usually a good indicator that you have a seri-
    ous problem with file system labeling.

    The best way to relabel the file system is to create the flag file /.autorelabel
    and reboot. system-config-selinux, also has this capability. The restorcon/fix-
    files commands are also available for relabeling files.

    AUTHOR
    This manual page was written by Dan Walsh .

    SEE ALSO
    booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8),
    setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8),
    httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8),
    nis_selinux(8), ypbind_selinux(8)

    FILES
    /etc/selinux/config

    dwalsh@redhat.com 29 Apr 2005 selinux(8)

    Answered by woboyle
    4 years ago
    1 0
  • In addition that Red Hat base distribution such as Fedora and CentOS are fully utilized with SELinux.

    Answered by ajhwb
    4 years ago
    0 0
  • There are three "popular" solutions for implementing access control in Linux: the NSA primarily cooked up SELinux, Novel's AppArmor, TOMOYO Linux, GrSecurity, and POSIX capabilities.

    SE Linux is basically a Mandatory Access Control system implementation. There's a lot to read about each of these systems, and none of them are particularly easy to implement.But SELinux was the NSA's attempt at porting the Orange Book requirements to Linux.

    A good place to start reading is probably just the wikipedia page: http://en.wikipedia.org/wiki/Security-Enhanced_Linux

    Answered by gomer
    4 years ago
    0 2
  • not a silly question, but please at least read wiki:
    http://en.wikipedia.org/wiki/Security-Enhanced_Linux
    It's a nice information of what is SE Linux about

    Answered by ben
    4 years ago
    0 0
Please register/login to answer this question. Click here to login
Similar Questions Found
Questions from category Root

Upcoming Linux Foundation Courses

  1. LFS230 Linux Network Management
    06 Oct » 09 Oct - Virtual
    Details
  2. LFS416 Linux Security
    06 Oct » 09 Oct - Washington
    Details
  3. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details

View All Upcoming Courses

Community Answers - Search


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board