How Security-Enhanced Linux Works?

SELinux works by implementing mandatory access controls (MAC). With MAC, sysadmins define which users and processes have access to specific resources rather than relying on less secure broadly-defined permissions. To accomplish this, SELinux uses security policies.

SELinux Policies

SELinux blocks all applications and users by default, allowing access only to those specified in the security policies. Security policies are a set of simple rules that tell SELinux who is allowed to access which parts of the system. These rules set the permissions for each user, program, and resource. SELinux keeps track of every decision (allow or block access) in the Access Vector Cache (AVC). This makes checking permissions faster.

When a program tries to access something, SELinux first checks AVC to see if a decision has already been made. If so, it follows that decision quickly. If not, SELinux looks at the policy rules and makes a new decision.

One key feature is that SELinux can give different permissions to different programs. For example, a web server program might be allowed to read and write files, but other programs cannot. SELinux can also check conditions before allowing access. Maybe a web server can only read/write if the request comes from a trusted address.

SELinux Labels and Type Enforcement

SELinux uses labels with the policy rules to decide what actions to allow for each resource. Admins assign labels to every process, network port, file, etc. Labels include:

1. User – The Linux user mapped to a SELinux user
2. Role – The user’s authorized role for that system
3. Type – This determines the permissions that are enforced
4. Level (optional) – A security clearance level

The labels match up with the security policy rules, which specify access allowed for each label type.

Label format :

user:role:type:level

The type part of the label is most important. Type enforcement means SELinux checks the type labels, and only allows authorized types to access resources. Each type has a list of permitted actions. When a user/program tries to access something, SELinux compares the type labels. If the types match the policy rules, access is granted.

SELinux Modes

1. Enforcing mode : This is default and most secure. SELinux actively enforces the policy rules, denying any unauthorized access attempts. Blocked attempts are logged.

2. Permissive mode : Less secure but still monitors access. SELinux just logs what would be blocked by policies, but doesn’t actually block it. Useful for testing.

3. Disabled mode : SELinux is completely turned off removing all the access protection. This mode is Only for the troubleshooting.

SELinux is a special security system built into Linux computers. It helps keep your computer safe and secure. With SELinux, different programs and users on the computer have limited permissions. This means each program or user can only access certain files and do certain actions that they are allowed to do. For example, The web browser can connect to the internet but it cannot read your private documents. This prevents viruses and hackers from gaining full control over your system if they get into one program.

SELinux sets rules about what different programs and users are permitted to do. System administrators enable SELinux and set up these security rules based on their needs.