SELinux in Red Hat Enterprise Linux 8
SELinux, Security Enhanced Linux is a mature Mandatory Access Control (MAC) list system used as a layer in secure the Operating System. SELinux MAC policies are applied after the Operating System has applied Discretionary Access Control lists (DAC) and adds to the existing security without replacing it. Security Enhanced Linux is described as mature being first developed in 2000 and is approaching 20 years since its release. The main developers include Red Hat and the NSA which provides great credentials. This module will introduce you to the mature MAC system and how to make the most out of it in modern Linux Servers
During this eBook you will learn:
- Overview of SELinux
- Labels and types
- Listing labels with ps, ls and getfattr
- Securing Apache HTTPD
- Alternate directories
- Alternate ports
- User home directories
- Creating custom modules
Security Enhanced Linux has been improving Linux Operating System security since RHEL 4 by adding an additional protection layer. SELinux is built in to the Linux Kernel and marshals all actions by asking the questions: May This Process do This to That File or Other Resource. As an example: Is the Apache HTTPD Server allowed to read files in users home directories.
Many services in Linux can and do run as the root user, this can then allow one service access to files that it should not and at an inappropriate security level. Any services that uses a privileged port, those ports lower than 1024, must start as the user root to use that port. We would not want the telnet server accessing SSH key files. Using only standard Linux permissions in the form of the file mode or access control lists we implement security using Discretionary Access Control. This does not allow us as administrators to create comprehensive and fine grained security policies in the way we do with SELinux. Using SELinux we use labels or Contexts on subjects which are usually process and also on targets which are often file resources of some description. A policy will describe which labels are compatible with each other and what they are allowed to do. File permissions may allow a process read and write access to a log file but the SELinux policy may dictate that it can only read. SELinux will Deny All unless there is an explicit policy rule to allow an action.
NOTE: Remember that policy rules are checked after DAC rules. If access is denied via the DAC then there is no need to check the SELinux policy. Access has to be granted by the DAC before we check SELinux.