Security Enhanced Linux

SELinux was developed by the National Security Agency in the United States. SELinux is software to protect against some kinds of security attacks, to limit the success of others, and to log much additional information. SELinux is included in the stock 2.6 Linux kernel; therefore, it's no longer necessary to add the SELinux patch to the kernel to take advantage of its enhancements.

SELinux works by placing processes inside of a sandbox known as a domain. By limiting processes to their own sandbox or domain, it limits the damage that can be done by an attacker who uses that process to gain or escalate privilege.

This section gives an elementary overview of SELinux. If you'd like to explore SELinux further, I recommend visiting the NSA website at http://www.nsa.gov/selinux/.

SELinux Architecture

SELinux is more than kernel code. SELinux consists of the kernel code plus related library, files, and administration tools. The system or security administrator creates a security policy for SELinux to use. This policy is then implemented on the system and administered through SELinux tools such as newrole, setfiles, checkpolicy, and a whole host of others.

In addition to the SELinux-specific tools, some standard Linux tools are also modified to work with SELinux, including commands such as ps, ls, cron, and others.

SUBJECTS, OBJECTS, AND ACTIONS, OH MY!

Three elements compose SELinux's security model: Subjects, Objects, and Actions. Subjects are the protagonists within the context of SELinux; they are the things that work on or perform actions on objects. Objects are, therefore, the items on which subjects act. Examples of objects include files; processes; special devices like block devices, character devices, and sockets; directories; and filesystems. Objects are actually divided into classes of objects and include those listed above plus many more. And, yes, processes can be both subjects and objects. In other words, a process can perform the action or it can have the action performed on it.

Each domain has a limited number of files and operations it can access. Each domain's definition classifies the operations it can perform on files within a certain class. Processes can also transition into other domains under certain conditions.

When an action is requested, for example, a program attempting to read /etc/shadow, an Access Decision must be made. This Access Decision is made based on three security attributes:

• User identity

• Role

• Type

The user identity is exactly what you'd think, the userid of the subject or object. This information is stored in an SELinux file as opposed to being stored in /etc/passwd. The role is a given set of permissions for the user identity. Users can be in only one role at a time, and roles are managed through the SELinux newrole command. Finally, types are groupings of subjects and objects and are the primary attribute used to make decisions with SELinux.

Combined, the three security attributes make up the Security Identifier (SID). The SID is an integer value used by SELinux to optimize the myriad access and transition decisions that must take place on a Linux system.

SELinux gives a level of security not previously possible with Linux. As you can imagine, SELinux is much more complex than this overview could hope to convey. I invite the reader to visit the SELinux website at http://www.nsa.gov/selinux/ for more information on SELinux.