Section 20.195 SELinux Policies Flashcards
Objectives 2.5 Explain the purpose of mitigation techniques used to secure the enterprise. Objectives 4.1 Given a scenario, you must be able to apply common security techniques to computing resources. Objectives 4.5 Given a scenario, you must be able to modify enterprise capabilities to enhance security.
SELinux and MAC Basics
SELinux (Security Enhanced Linux)
● A security mechanism that provides an additional layer of security for
Linux distributions
● Enforces Mandatory Access Control (MAC)
SELinux and MAC Basics
Mandatory Access Control (MAC)
Restricts access to system resources based on subject clearance and
object labels
SELinux and MAC Basics
Context-based permissions
Permission schemes that consider various properties to determine
whether to grant or deny access to a user
■ Two main context-based permission schemes in Linux that use MAC:
● SELinux
● AppArmor
SELinux and MAC Basics
DAC vs. MAC
DAC (Discretionary Access Control):
○ Each object has a list of entities that are allowed to access it
○ Allows object owners to directly control access using tools like
‘chown’ and ‘chmod’
● SELinux relies on MAC for permissions and access control, not DAC
SELinux
The default context-based permission scheme in CentOS and Red Hat Enterprise Linux created by NSA
■ Used to enforce MAC on processes and resources
■ Enables information to be classified and protected
■ Enhances file system and network security, preventing unauthorized access, security breaches, and execution of untrustworthy programs
Three Main Contexts in SELinux
User Context
Defines which users can access an object, including common contexts like
‘unconfined_u,’ (ALL USERS)
‘user_u,’ (UNPRIVILEGED USERS)
‘sysadm_u,’ (SYSTEM ADMINISTRATORS)
‘root’ (ROOT USER)
Three Main Contexts in SELinux
Role Context
Determines which roles can access an object, using ‘object_r’ for files and
directories
Three Main Contexts in SELinux
Type Context
Essential for fine-grained access control, grouping objects with similar
security characteristics
Optional Context (4th context)
Level Context
● Describes the sensitivity level of a file, directory, or process
● Known as a multi-level security context, allowing further access control refinement
3 SELinux Modes
Disabled Mode
Turns off SELinux, relying on default DAC for access control
3 SELinux Modes
Enforcing Mode
Enforces all SELinux security policies, preventing policy violations
3 SELinux Modes
Permissive Mode
Enables SELinux but doesn’t enforce policies, allowing processes to
bypass security policies
SELinux Policies
SELinux Policy
Describes access permissions for users, programs, processes, files, and devices
SELinux Policies: Two Main Policy Types
Targeted Policies
Only specific processes are confined to a domain, while others run unconfined
SELinux Policies: Two Main Policy Types
Strict Policies
Every subject and object operates under MAC, but it’s more
complex to set up
