SELinux security feature of the Linux kernel. To manage the security enhanced Linux behaviour of a system to keep it secure in case of a network service compromise.
SELinux is an additional layers of system security. It is protect user data from your system services that have been compromised. Linux administrators are known with the standard user/group/other(u/g/o) permissions security model.
As a example if you see above Picture 1 Whenever outside client request for a data to access from Linux Server, SELinux will verify requested data port is allowed from SELinux, It will verify process SELinux context is enabled and File security context enabled. Three layer security system. This security will work only when SELinux is in enforcing mode.
SELinux is a set of security rules that determine which process can access which directories, files and ports. Every file, process, port and directory has a special label called a SELinux context.
SELinux label context are user, role, type and sensitivity. The type context names end with “_t“
To display or set SELinux contexts with option “Z”:
SELinux Modes:
SELinux modes are three types :-
- Enforcing Mode
- Permissive Mode
- Disabled Mode
Enforcing Mode: Default mode which will enforce and enabled the SELinux security on your system. In this mode SELinux logs and protects.
Permissive Mode: This mode can be used to temporarily allow access to content that SELinux is restricting. No reboot required to go from enforcing to permissive vice versa. This mode is useful for troubleshooting SELinux security issues. When SELinux is in permissive mode it will not deny the access it will only log.
Disabled Mode: Completely disables SELinux your system. Your system reboot is required to disable SELinux entirely or to get disabled mode to enforcing. Until unless you reboot your machine after disable it will not effect.
For the first time when you change SELinux from disable mode to enforcing mode SELinux will relabel all the files and processes from context rules
Change SELinux modes
To check SELinux security status
Enable / Disable SELinux Security mode. Edit configuration file and changeSELINUX=’enforcing/disabled’
Enforced mode
To keep in permissive mode
What is the default SELinux context for newly created files / Directories
When we create an file / directory under / (slash) it will assign default_t context.
But if we create an file / directory under /etc/, /var/, /var/www/html/ it will apply different SELinux security context let see the examples below
How to assign SELinux Security context
To assign security context to file
To enable SELinux Security port
Too See SELinux Boolean values. Enable / Disable sebool parameters
Conclusion
SELinux security context is highly improved in newer version of Linux RHEL 7 / Centos 7 / Fedora 24.
That’s it about SELinux Security
Please do comment your feedback on the same