2. Agenda:
● What is SELinux?
● How it got started?
● DAC vs MAC
● Some real world examples
3. Agenda:
● What is SELinux?
● How it got started?
● DAC vs MAC
● Some real world examples
4. SELinux brief History
● Created by the United States National Security
Agency (NSA)
● Used in many major distributions
– In kernel since 2002
– Fedora since Core 2 (2004)
– RHEL since version 4 (2005)
– Debian since (2007)
– Ubuntu since (2008)
5. Role Based Access Control
Users are authorised for roles
Roles are authorised for domains and types
RBAC coupled with Type Enforcement defines the
SELinux security model
l
6. DAC vs MAC
DAC(Discretionary Access Control)
user root owns the /etc/passwd file
group root owns the /etc/passwd file.
owner can read/write, group and everyone else can read the file.
$ ls -la /etc/passwd
-rw-r--r-- 1 root root 2505 2017-04-02 13:03 /etc/passwd
MAC (Mandatory Access Control)
Central security policy
Users unable to modify the security policy.
System Administrator can define just enough permissions for how
processes access objects and other processes.
7. How does it work?
● Compiled into the kernel
● Packaged security policy
● Checks database of rules on syscalls
● Allows or denies based on policy.
9. SELinux – what does it do?
● Stops daemons going bad
– Policies in most distributions are applied only to
system processes, not user processes.
– Policies limit what a daemon can access and how.
– Prevents daemon compromise affecting other files /
users / ports / etc.
10.
11.
12. Disabling SELinux
To disable SELinux, put it into permissive mode
Permissive mode will continue to log SELinux violations though will
not enforce SELinux policy.
Security Contexts are still applied to the filesystem when in
permissive mode.
Not a good idea to fully disable SELinux.
13. SELinux Benefits
Auditing logs for reporting.
Ability to confine services.
Application debugging.
Provide fine grained access control.
Strengthen the security of the servers.