Why do we need SELinux?

linux selinux security
11,123

Solution 1

You may view SELinux as a system-call firewall: A policy for each application specifies what's reasonable for the application to do: The name server may listen on port 53, work with some zone files in a particular directory, send out syslog, ..., but it makes no sense for it to try to work with files in /home, for example. SELinux' enforcement of such a policy means that it will be much harder for a weakness in the name server to spread to other parts of the system.

I find that SELinux provides real security value. But while it has certainly become easier to work with over the years, it is - unfortunately - still a rather complex system. The good thing is that you may easily turn it off for some services, without having to turn it off for the whole system. Too many (junior?) sysadmins turn of SELinux across the board, as soon as they run into the slightest problem with one service - instead of selectively turning it off for the service causing trouble.

Solution 2

Not all security issues can be predicted in advance. If an attacker manages to exploit a weakness in e.g. a third-party httpd module then they have access to the same files that the user httpd is running as does. SELinux further restricts this by limiting them to actions and file contexts that their SELinux domain has access to.

Solution 3

These previous questions might be informative:

SELinux in the Real World

and

Real life SELinux security example?

and

Reasons to disable / enable SELinux

Solution 4

SELinux does a good job at exposing the sheer complexity of an entire Linux system.
An interesting aspect of security is the question "what's it doing?"
Well if it is working you might not ever know. If you are running a web server and it has just been staying up, then you might not know a couple of exploits were even tried against your system.
As for private companies, I don't know. If they need the integrity that SELinux brings to the table, then they should.
As for Government, there are public sources (listing of government projects and the like) that seem to point to that MAC is being used, and possible quite heavily. Government systems, depending on deployment and what information a system holds, have to meet certain criteria before being used.
In the end security is really risk management and choosing the right level of effort.
Also security is an on going effort, not something you merely turn on.

Solution 5

I think the term Mandatory Access Control sums it up quite nicely. SELinux gives you a more secure system through a more secure kernel, in large part due to a MAC implementation.

Share:
11,123

Related videos on Youtube

Krish
Author by

Krish

Updated on September 17, 2022

Comments

  • Krish
    Krish almost 2 years

    I could not get much idea where the SELinux has been used and what it saves from attacker. I have gone through SELinux web site and read the basic but still not getting clue about SELinux. For the Linux system which provides the SSH shell, Apache front end, role based web application, MySQL DB, memcached, almost all the systems are password protected, then why do we need SELinux?

  • jgoldschrafe
    jgoldschrafe over 13 years
    man -k selinux is a good place to start. Typically, there are *_disable_trans sebools which can be set to disable SELinux on particular services.
  • Jürgen A. Erhard
    Jürgen A. Erhard over 8 years
    @jgoldschrafe And that's how "easy" it is.
  • symcbean
    symcbean almost 8 years
    "makes no sense for it to try to work with files in /home" - and you can't restrict the DNS server's access to those files with permissions?
  • cinatic
    cinatic almost 3 years
    @symbean someone could do that but imagine the following scenario, the dns server's is running under a specific user "dnsuser" and "dnsuser" is only allowed to access e.g. /etc/hosts. But now a attacker is exploiting the dns server and gains somehow more privileges for "dnsuser" and trying to access /etc/passwd, then SElinux will help

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

selinux permissive and type targeted
selinux Missing type enforcement (TE) allow rule
/bin/su permission denied after SELinux is enabled - not resolved by manual creation of SELinux policies
selinux avc: denied issue
SELinux permissions for LogRotate and Apache
How can I query for all selinux rules/default file contexts/etc affecting a type
Reasons to disable / enable SELinux
Create a SELinux policy for a custom systemd service
SELinux: allow a process to create any file in a certain directory
how to create a custom SELinux label