+ -

Pages

Monday, September 2, 2013

SELINUX BASICS

http://vishalthakur.com

MAC Vs DAC

DAC: Discretionary Access Control

DAC has been used as a form of access control in linux to enforce some sort of security related to information contained on a machine running linux. In this form of access control, information is secured based on permissions. Files and directories have a set of permissions that control what users or groups can get access to them.

MAC: Mandatory Access Control

MAC is at the heart of SELinux. MAC enforces security on all information that is present on a machine running linux in the form of contexts, which are applied to each and every file/dir, user and process.

Basics

SELinux implements MAC by contexts. Every file, directory, process and user has a context assigned to it and the contexts control what they have access to.
There are three main components of SELinux:
1.      Subject: this is the process
2.      Object: this is the file
3.      Action: this is what a subject can do to an object

Configuration

SELinux configuration file can be found in:
/etc/selinux/config
Sample file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Changing SELinux Settings

Open the config file in a text editor.
Change SELINUX= to any of the following for desired mode:
SELINUX=enforcing (this the safest mode – SELinux is enforced)
SELINUX=permissive (in this mode, SELinux is not enforced, but all breaches are logged)
SELINUX=disabled (in this mode, SELinux is complete inactive – not recommended)

You need to restart the machine if changing from ‘enforcing’ to disabled’ or vice versa.

Some basic commands


#sestatus
This command prints basic information about the current status if SELinux on the machine.

Sample output:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted


#getenforce
This command can be used for printing the current mode of SELinux. It will come back and print either of the following:
Enforcing
Permissive
Disabled
#setenforce
This command can be used to change the mode to ‘enforcing’ or ‘permissive’ by using the values 1 or 0 respectively.
#setenforce 1 (this sets it to ‘enforcing’)
#setenforce 0 (this sets it to ‘permissive’)
5 RakshaTec: SELINUX BASICS http://vishalthakur.com MAC Vs DAC DAC: Discretionary Access Control DAC has been used as a form of access control in linux to enforc...

No comments:

Post a Comment

< >
Subscribe to: Post Comments (Atom)