May 3, 2010

What is SELinux and how does it work?

I know this may sound like a silly question but I'm a student and working on a research paper for class. Any help, links, etc will be great.

not a silly question, but please at least read wiki:http://en.wikipedia.org...

not a silly question, but please at least read wiki:
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
It's a nice information of what is SE Linux about

Like  (0 likes)

There are three "popular" solutions for implementing access control in Linux:...

There are three "popular" solutions for implementing access control in Linux: the NSA primarily cooked up SELinux, Novel's AppArmor, TOMOYO Linux, GrSecurity, and POSIX capabilities.

SE Linux is basically a Mandatory Access Control system implementation. There's a lot to read about each of these systems, and none of them are particularly easy to implement.But SELinux was the NSA's attempt at porting the Orange Book requirements to Linux.

A good place to start reading is probably just the wikipedia page: http://en.wikipedia.org/wiki/Security-Enhanced_Linux

Like  (4 likes)

In addition that Red Hat base distribution such as Fedora and CentOS are...

In addition that Red Hat base distribution such as Fedora and CentOS are fully utilized with SELinux.

Like  (3 likes)

And if you cannot access a system with selinux installed, here is the selinux...

And if you cannot access a system with selinux installed, here is the selinux man page from CentOS:

selinux(8) SELinux Command Line documentation selinux(8)

NAME
selinux - NSA Security-Enhanced Linux (SELinux)

DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible manda-
tory access control architecture in the Linux operating system. The SELinux
architecture provides general support for the enforcement of many kinds of manda-
tory access control policies, including those based on the concepts of Type
Enforcement®, Role- Based Access Control, and Multi-Level Security. Background
information and technical documentation about SELinux can be found at
http://www.nsa.gov/selinux.

The /etc/selinux/config configuration file controls whether SELinux is enabled or
disabled, and if enabled, whether SELinux operates in permissive mode or enforc-
ing mode. The SELINUX variable may be set to any one of disabled, permissive, or
enforcing to select one of these options. The disabled option completely dis-
ables the SELinux kernel and application code, leaving the system running without
any SELinux protection. The permissive option enables the SELinux code, but
causes it to operate in a mode where accesses that would be denied by policy are
permitted but audited. The enforcing option enables the SELinux code and causes
it to enforce access denials as well as auditing them. Permissive mode may yield
a different set of denials than enforcing mode, both because enforcing mode will
prevent an operation from proceeding past the first denial and because some
application code will fall back to a less privileged mode of operation if denied
access.

The /etc/selinux/config configuration file also controls what policy is active on
the system. SELinux allows for multiple policies to be installed on the system,
but only one policy may be active at any given time. At present, two kinds of
SELinux policy exist: targeted and strict. The targeted policy is designed as a
policy where most processes operate without restrictions, and only specific ser-
vices are placed into distinct security domains that are confined by the policy.
For example, the user would run in a completely unconfined domain while the named
daemon or apache daemon would run in a specific domain tailored to its operation.
The strict policy is designed as a policy where all processes are partitioned
into fine-grained security domains and confined by policy. It is anticipated in
the future that other policies will be created (Multi-Level Security for exam-
ple). You can define which policy you will run by setting the SELINUXTYPE envi-
ronment variable within /etc/selinux/config. The corresponding policy configura-
tion for each such policy must be installed in the /etc/selinux/SELINUXTYPE/
directories.

A given SELinux policy can be customized further based on a set of compile-time
tunable options and a set of runtime policy booleans. system-config-selinux
allows customization of these booleans and tunables.

Many domains that are protected by SELinux also include selinux man pages
explainging how to customize their policy.

FILE LABELING
All files, directories, devices ... have a security context/label associated with
them. These context are stored in the extended attributes of the file system.
Problems with SELinux often arise from the file system being mislabeled. This can
be caused by booting the machine with a non selinux kernel. If you see an error
message containing file_t, that is usually a good indicator that you have a seri-
ous problem with file system labeling.

The best way to relabel the file system is to create the flag file /.autorelabel
and reboot. system-config-selinux, also has this capability. The restorcon/fix-
files commands are also available for relabeling files.

AUTHOR
This manual page was written by Dan Walsh .

SEE ALSO
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8),
setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8),
httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8),
nis_selinux(8), ypbind_selinux(8)

FILES
/etc/selinux/config

dwalsh@redhat.com 29 Apr 2005 selinux(8)

Like  (1 like)

NSA Security-Enhanced Linuxhttp://www.nsa.gov/selinux...

NSA Security-Enhanced Linux
http://www.nsa.gov/selinux

To put it as simply as possible, SELinux is an access control implementation for the Linux kernel.
As an administrator, you define rules in user space and if the Linux kernel has been compiled with SELinux support, those rules will be adhered to by the kernel.
It is an enterprise grade security enhancement that was merged into the Linux kernel in 2003.
http://en.wikipedia.org/wiki/Mandatory_access_control

If you want a better overview, install Fedora Linux and try :

man selinux

in a console.

Thanks,
Tony

Like  (1 like)
Click Here!