SELinux

[anitsh]

Security-Enhanced Linux (SELinux)

SELinux can potentially control which activities a system allows each user, process, and daemon, with very precise specifications. It is used to confine daemons such as database engines or web servers that have clearly defined data access and activity rights. This limits potential harm from a confined daemon that becomes compromised.

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy, and streamlines the amount of software involved with security policy enforcement

SELinux features include:

• Clean separation of policy from enforcement
• Well-defined policy interfaces
• Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
• Independence of specific policies and policy languages
• Independence of specific security-label formats and contents
• Individual labels and controls for kernel objects and services
• Support for policy changes
• Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
• Flexible policy
• Controls over process initialization and inheritance, and program execution
• Controls over file systems, directories, files, and open file descriptors
• Controls over sockets, messages, and network interfaces
• Controls over the use of "capabilities"
• Cached information on access-decisions via the Access Vector Cache (AVC)
• Default-deny policy (anything not explicitly specified in the policy is disallowed)

Command-line utilities include: chcon, restorecon, restorecond, runcon, secon, fixfiles, setfiles, load_policy, booleans, getsebool, setsebool, togglesebool, setenforce, semodule, postfix-nochroot, check-selinux-installation, semodule_package, checkmodule, selinux-config-enforcing, selinuxenabled, and selinux-policy-upgrade

---

CONCEPTS

SELinux = LABELING system Labeling → files, process, ports, etc. (system objects) Type enforcement → Isolates processes from each other based on types

Every process, file, directory, system object has a LABEL. Policy rules control access between labeled processes and labeled objects. The kernel enforces these rules.

LABELING

Label format: user:role:type:level (optional)

user → identity known to the policy authorized for a specific set of roles and a specific MLS/MCS range role → attribute of RBAC, serves as an intermediary between domains and SELinux users type → attribute of type enforcement, defines a domain for processes and a type for files level → attribute of MLS/MCS, pair of levels, written as low level-high level if the levels differ, or low level if the levels are identical

Resource

• [ ] https://www.redhat.com/en/topics/linux/what-is-selinux
• [ ] https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html
• [ ] https://opensource.com/business/13/11/selinux-policy-guide
• [ ] https://wiki.ubuntu.com/SELinux | https://linuxconfig.org/how-to-disable-enable-selinux-on-ubuntu-20-04-focal-fossa-linux
• [ ] https://opensource.com/article/18/7/sysadmin-guide-selinux | https://opensource.com/downloads/cheat-sheet-selinux
• [ ] https://opensource.com/article/20/11/selinux-containers
• [ ] https://opensource.com/article/18/7/sysadmin-guide-selinux

[anitsh]

Comparison with AppArmor

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take. Another popular alternative is called AppArmor and is available on SUSE Linux Enterprise Server (SLES), openSUSE, and Debian-based platforms. AppArmor was developed as a component to the now-defunct Immunix Linux platform. Because AppArmor and SELinux differ radically from one another, they form distinct alternatives for software control. Whereas SELinux re-invents certain concepts to provide access to a more expressive set of policy choices, AppArmor was designed to be simple by extending the same administrative semantics used for DAC up to the mandatory access control level.

There are several key differences:

• One important difference is that AppArmor identifies file system objects by path name instead of inode. This means that, for example, a file that is inaccessible may become accessible under AppArmor when a hard link is created to it, while SELinux would deny access through the newly created hard link. As a result, AppArmor can be said not to be a type enforcement system, as files are not assigned a type; instead, they are merely referenced in a configuration file.
• SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system.
• Since it endeavors to recreate traditional DAC controls with MAC-level enforcement, AppArmor's set of operations is also considerably smaller than those available under most SELinux implementations. For example, AppArmor's set of operations consist of: read, write, append, execute, lock, and link.[34] Most SELinux implementations will support numbers of operations orders of magnitude more than that. For example, SELinux will usually support those same permissions, but also includes controls for mknod, binding to network sockets, implicit use of POSIX capabilities, loading and unloading kernel modules, various means of accessing shared memory, etc.
• There are no controls in AppArmor for categorically bounding POSIX capabilities. Since the current implementation of capabilities contains no notion of a subject for the operation (only the actor and the operation) it is usually the job of the MAC layer to prevent privileged operations on files outside the actor's enforced realm of control (i.e. "Sandbox"). AppArmor can prevent its own policy from being altered, and prevent file systems from being mounted/unmounted, but does nothing to prevent users from stepping outside their approved realms of control.
• For example, it may be deemed beneficial for help desk employees to change ownership or permissions on certain files even if they don't own them (for example, on a departmental file share). You obviously don't want to give the user(s) root on the box so you give them CAP_FOWNER or CAP_DAC_OVERRIDE. Under SELinux you (or your platform vendor) can configure SELinux to deny all capabilities to otherwise unconfined users, then create confined domains for the employee to be able to transition into after logging in, one that can exercise those capabilities, but only upon files of the appropriate type.[citation needed]
• There is no notion of multilevel security with AppArmor, thus there is no hard BLP or Biba enforcement available.[citation needed].
• AppArmor configuration is done using solely regular flat files. SELinux (by default in most implementations) uses a combination of flat files (used by administrators and developers to write human readable policy before it's compiled) and extended attributes.
• SELinux supports the concept of a "remote policy server" (configurable via /etc/selinux/semanage.conf) as an alternative source for policy configuration. Central management of AppArmor is usually complicated considerably since administrators must decide between configuration deployment tools being run as root (to allow policy updates) or configured manually on each server.