SELinux details


SELinux(security enhanced Linux) is a mandatory access control mechanism developed by the National Security Agency (NSA). It is mainly integrated into the Linux kernel. It is a system for permission control for specific processes and specified file resources. It is mainly to enhance the security of the traditional Linux operating system and solve various permission problems in the autonomous access control (DAC) system in the traditional Linux system (such as high root permission).


Note that the root user needs to abide by SELinux rules in order to correctly access system resources. In addition, the root user can modify SELinux rules. In other words, users should not only comply with the read, write and execution permissions of the system, but also comply with SELinux rules in order to correctly access system resources.

In the traditional Linux system, the default permission is to control the read, write and execution permissions of the owner, group and others of the file or directory. This control method is called autonomous access control (DAC); In SELinux, the mandatory access control (MAC) system is used, that is, to control whether a process has access to files or directories on a specific file system, and the basis for judging whether a process can access files or directories depends on many policy rules set in SELinux.

Next, the two control modes are introduced respectively:

1. Discretionary access control (DAC)

DAC is the default access control mode of Linux, that is to judge whether it can be accessed according to the identity of the user and the RWX permissions of the identity on files and directories.

However, the following problems are usually encountered when using this method:

  • The root permission is too high, and using RWX permission does not take effect on the root user. Once the root user is stolen or misoperated by the root user, it will cause serious security problems to the Linux system.
  • The default permission of Linux is too simple. It only has the identity of owner, group and others, and only has read, write and execution permissions, which is not conducive to permission segmentation and setting.
  • Unreasonable authority allocation will lead to serious consequences.

2. Mandatory access control (MAC)

Mac controls the access of specific processes to system file resources through SELinux’s default policy rules. In other words, even if you are the root user, you cannot access file resources if you use the wrong process.

SELinux’s mandatory access control will not completely replace autonomous access control. For the security of Linux system, mandatory access control is an additional security layer. When SELinux is used, autonomous access control is still used and will be used first. If access is allowed, SELinux policy will be used again; Conversely, if the autonomic access control rule denies access, the SELinux policy does not need to be used.

SELinux functions as follows:

  1. SELinux is considered to be the most powerful access control mode, that is, MAC control mode.
  2. SELinux gives users or processes minimal access. That is, each user or process is given only a limited set of permissions necessary to complete the relevant tasks. By giving minimum access rights, you can prevent adverse effects on other users or processes.
  3. During SELinux management, each process has its own running area. Each process only runs in its own area and cannot access other processes and files unless special permissions are granted.

Three operating modes of SELinux

SELinux provides three working modes: disabled working mode, permissive working mode and enforcing working mode. Their details are as follows:

  1. Disabled operating mode (off mode)
    In disable mode, SELinux is turned off and DAC access control mode is used. This pattern is very useful for environments that do not need to enhance security.

Note that before disabling SELinux, you need to consider whether it is possible to use SELinux again on the system. If you decide to set it to enforcing or permissive in the future, the system will mark it again through an automatic SELinux file when you restart the system next time.

To close SELinux, you only need to edit the configuration file / etc / SELinux / config and change “SELinux =” to “SELinux = disabled” in the text. After restarting the system, SELinux is disabled.

  1. Permissive working mode (tolerant mode)
    In permissive mode, SELinux is enabled, but security policy rules are not enforced. Access is still allowed when security policy rules should deny access. A message that the access should be denied will be sent to the log file.

SELinux permission mode is mainly used to audit the current SELinux policy rules; It can also be used to test new applications and the effect of applying SELinux policy rules to applications; And used to solve the fault that a specific service or application no longer works normally under SELinux.

  1. Enforcing operating mode (forced mode).
    In enforcing mode, SELinux is started and all security policy rules are enforced.

The above isLiangxu tutorial networkSELinux detailed description shared for all friends.

This article is composed of blog one article multi posting platformOpenWriterelease!

Recommended Today

Swift advanced (XV) extension

The extension in swift is somewhat similar to the category in OC Extension can beenumeration、structural morphology、class、agreementAdd new features□ you can add methods, calculation attributes, subscripts, (convenient) initializers, nested types, protocols, etc What extensions can’t do:□ original functions cannot be overwritten□ you cannot add storage attributes or add attribute observers to existing attributes□ cannot add parent […]