MLS: Multi-Level Security RBAC: Role-based access control TE: Type Enforcement MAC: mandatory acces control <-> DAC: Discretionary acces control Adds extra control over processes and users (what files can x or y change)
Good access control, unlike DAC from normal linux system. SELinux user, role, type, level while linux user only have a group and user id Reduces vulnerability to attacks due to access control. Intruders can only access the files the software (like httpd) really need Confined servers: selinux has the abitilty to confine services and deamons so that they are more predictable and are only allowed acces that is required for their normal operation
Independent from normal linux ownerships blah blah
Var/log/messages are better readable, but rsyslogd is not always running. Chkconfig –levels 2345 rsyslogd on
Booleans Changed at runtime No policy writing
Predefined policies The semanage boolean command doesn't work yet on RH/Centos 5.x -P flag makes it persistent over reboots
Identity authorized for specific set of roles, and mls range. Semange login -l Each linux user is mapped to a sel user Role is part of the RBAC model. Type is an attribute of type enforcement. Defines domain for processes, and type for files. Level of security is attribute for MLS. For process, unconfined_t : is not checked (in targeted)
Chcon -t httpd_sys_content_t /web Use full path of file/dir Restore only works with chcon semange fcontext adds rule to file.contexts.local, chcon doesn't After a fcontext -d run restorecon again.
Fixfiles relabel can make system unstable Fixfiles -R relies on rpm database
Standard type: nfs_t Context changes to the files on the mount won't work. Chcon results in “operation not supported” /dev/sda2: assumes there are no rules that define context for /foo/ Files will keep context when changed Persistent: fstab
If you copy a file over a file, original context is preserved
matchpathcon - get the default security context for the specified path from the file contexts configuration. Semodule -D : disables dontaudit rules -B : rebuilds policy Run semodule -B again after debugging