SELinux (Security-Enhanced Linux)

What is SELinux (Security-Enhanced Linux)?

SELinux, or Security-Enhanced Linux, is a part of the Linux kernel that acts as a protective agent to the OS. In the Linux kernel, SELinux is a mandatory access controls (MAC) mechanism that restricts programs with rules and policies set by the system administrator.

MAC is a higher level of access control than the standard discretionary access control (DAC) that was originally part of Linux. It prevents security breaches in the system by restricting processes so they can only access files, data, and other resources that the administrator preapproves.

SELinux was initially released as a collaboration between Red Hat and the National Security Agency. SELinux receives periodic updates and additions as new Linux distributions are released. The SELinux kernel separates policy and decisions inside the kernel to distribute levels of protection and prevent a total security breach.

SELinux acts under the least-privilege model. SELinux only grants access if the administrator writes a specific policy to do so. It is implemented as part of the Linux Security Module (LSM) framework which is hooked into the Linux kernel. Because it exists on top of the traditional Linux security context enforcement, SELinux can even prevent a compromised root user from accessing protected data.

SELinux is best used in high-security environments where applications and associated data must be kept separate. Some examples where it is valuable would be in publicly accessible servers, cloud servers, containerized workloads, and government use. Because it requires additional work to set up and validate the access policies, it might not be recommended for home or workstation use.

How does SELinux work?

In a SELinux check, there are three main components, the subject, the object, and the security server.

• The subject is the process or executable code making the request to access a resource.
• The object is the system resource being accessed by the subject; it might be a file, hardware resource, or network port.
• The security server is the SELinux component that uses the access policy and context to approve or deny the access. The security server can be running on the system or can be another server that is accessed remotely.
• An access vector cache (AVC) is used to store the decisions of the security server for faster retrieval.

What is SELinux labeling?

An SELinux label is the information attached to every subject and object. The labels are evaluated against the security policy to determine if access should be granted or denied. The label has four components, the user, role, type and range (sensitivity or category).

• The user is the SELinux username and often ends in _u. The SELinux user is distinct from the Linux user, but there can be overlap. Some configurations might only use a single SELinux user.
• The role is the expected job of the SELinux user and often ends in _r. Some example roles might be administrator, user, or database administrator. This is used in role-based access control mode.
• The type is the most important part of SELinux permissions and often ends in _t. The type might also be called the domain. Mose SELinux implementations only use the type to determine the access policy. The unconfined type is often the role that can assign the SELinux policies.,
• The sensitivity range is an optional value expressed as "s" and a number used in multi-level security (MLS) mode. It expresses the sensitivity of a resource -- based on subject's access, lower sensitivity levels, higher numerical values and objects.
• The category is an optional value used in multi-category security (MCS) mode. MCS mode is similar to MLS mode but used where there is no hierarchy, such as in container or virtualization workloads.

An example SELinux object label for \home directory is system_u:object_r:home_root_t:s0.

What are SELinux modes?

There are three modes of SELinux: Enforcing, Permissive and Disabled.

• Enforcing mode is the default mode at installation of SELinux. It will enforce the policies on the system, denying access and logging actions.
• Permissive mode is mainly used for troubleshooting and configuring SELinux. In this mode, SELinux enables and evaluates but does not enforce security policies. This means that actions will result in a warning and log for the system administrator. Permissive mode might be used to check that a proposed security policy will not cause issues on the system before it is enforced.
• Disabled mode means that SELinux is turned off and the security policies do not protect the server.

App Armor vs. SELinux

SELinux's main competitor, AppArmor, is available on the SUSE Linux Enterprise Server, openSUSE and other platforms. AppArmor builds upon the DAC making it more secure and making it mandatory. SELinux, on the other hand, is a completely separate system that does not use the preexisting file access controls.

While SELinux uses the type enforcement system to provide security on the servers, AppArmor does not assign types and instead uses configuration files to grant, restrict and deny access.

SELinux on Android

Android is based on Linux and uses SELinux as a security mechanism. It was first introduced in Android starting in version 4.3 and was fully enforced starting in version 5.0. SELinux is important to the overall Android mobile security model as it is used to separate the various system processes and apps and to keep them from being able to read data that they shouldn't have access to.

SELinux enforcing mode is used in Android to keep apps from being able to access private data in other apps or other system resources directly. For example, if SELinux was disabled or set to permissive it could be possible that a malicious app could easily access a protected banking app or location data.

SELinux in RHEL 7.3

In Red Hat Enterprise Linux (RHEL) 7.3, Red Hat significantly improved SELinux through enhanced administrator policy control. Admins can now create a custom module with a higher priority than the original system module. This new feature allows IT to override the system module and place customizable features that take precedence on the server.

Organizations can use SELinux or AppArmor to protect their Linux servers but should examine the differences between them to see which is the best fit first. Compare two Linux security modules: SELinux vs. AppArmor.