SELinux
Security-Enhanced Linux (SELinux) is a security enhancement to Linux which allows users and administrators more control over access levels. Access can be constrained on such variables as which users and applications can access which resources. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.
SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, SELinux lets you specify who can unlink, append only, move a file and so on. Additionally SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC).
SELinux enforces the idea that programs should be limited to what files they can access and what actions they can take.
SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.
SELinux can be any one of the following state:
- enforcing – SELinux security policy is enforced.
- permissive – SELinux prints warnings instead of enforcing.
- disabled – SELinux is fully disabled.
The type of policies that can be used for the SELinux include:
- targeted – This policy will protected only specific targeted network daemons (such as DNS, Apache and others).
- mls - Multi Level Security (MLS) allows further categorization of data privilege levels, such as “confidential, secret” etc and would be applied to files on the filesystem, restricting users to only those articles they are entitled to interact with.
- strict – This is for maximum SELinux protection.
Allow access to an HTTP network port
Check that SELinux is not denying actions
Check that SELinux is Properly Enabled
Configuring SELinux to log warnings instead of block
Get List Of Allowed Network Ports
Run SELinux in permissive mode
Temporarily Switch Off SELinux Enforcement
Temporarily Switch On SELinux Enforcement
Troubleshooting SELinux Policy Errors
Understanding SELinux Configuration
References: