SELinux Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor Rob Goelz,
00:00
and in today's lesson we're going to
00:00
be covering SELinux configuration.
00:00
Upon completion of this lesson,
00:00
you're going to be able to understand the purpose of
00:00
SELinux and talk about how SELinux
00:00
is implemented and then we're going to use
00:00
the getenforce command to determine the SELinux mode.
00:00
SELinux or Security Enhanced Linux was
00:00
created by the United States National Security Agency,
00:00
the NSA in 2000 as a security system architecture,
00:00
and it came from a decade of earlier NSA projects.
00:00
Now, SELinux is what's known as
00:00
a Linux Security Module or LSM.
00:00
This LSM is primarily used in
00:00
Red Hat, Fedora and CentOS.
00:00
It is available in Ubuntu,
00:00
but there's another LSM called app armor
00:00
that we're going to cover in talking
00:00
about Ubuntu instead.
00:00
Now SELinux implements something
00:00
called Mandatory Access Control,
00:00
sometimes abbreviated as MEC.
00:00
By comparison, the basic Linux security bits
00:00
we've been looking at so far,
00:00
UGO and RWX, well,
00:00
those are known as Discretionary Access Control
00:00
or a DEC mechanism.
00:00
Now the MAC design in SELinux restricts
00:00
all access or all actions to least privilege,
00:00
and that means that if something is not
00:00
explicitly granted, it's denied.
00:00
MAC is implemented in SELinux via policy rules.
00:00
These policy rules control access to Linux object types.
00:00
An object type could be a lot of things.
00:00
Could be user, file, directory,
00:00
it could be network ports, memory, or processes.
00:00
There's a little bit of lingo to
00:00
SELinux that you have to wrap
00:00
your head around a little bit, glossary here.
00:00
A subject is a user application that's requesting
00:00
access to an object such as a user accessing a file,
00:00
the user is the subject,
00:00
a file is the object.
00:00
The reference monitor or
00:00
monitor checks whether or not the subject,
00:00
the user, has access to the object, the file.
00:00
What it does is it checks the context
00:00
defined for the object, like the rule,
00:00
and determines if that subject,
00:00
the user, has rights to the object, the file.
00:00
Yes, this is their logo.
00:00
Let's take a look at this in a flowchart,
00:00
maybe clarify a little bit more.
00:00
A subject requests access to an object,
00:00
subject, user, object, file.
00:00
But in any rate,
00:00
subject could be user or process.
00:00
This case, user is going to be our subject,
00:00
file is going to be our object.
00:00
What happens next is that the reference monitor
00:00
checks the access to the object.
00:00
The monitor is going to examine the context label and
00:00
the context label defines
00:00
whether or not the subject has rights to the objects.
00:00
The contexts label, does it say
00:00
that the subject has access to that object?
00:00
Does it say the user has access to file?
00:00
No. Well, access is denied.
00:00
If the user does have access to that file,
00:00
if the subject has access to the object,
00:00
access granted, good to go.
00:00
Now the last thing we'll talk about
00:00
today are the modes of SELinux,
00:00
and SELinux has three modes and we
00:00
can see these with a getenforce commands.
00:00
The first mode is disabled and in this mode,
00:00
SELinux is not doing anything
00:00
at all and no access checks are performed
00:00
and it's disabled. Permissive mode.
00:00
In this mode, SELinux performs access checks,
00:00
but doesn't block access to anything.
00:00
The reason for this is that
00:00
sometimes you're going to set up SELinux and let it
00:00
run to establish a baseline
00:00
and see what people are trying
00:00
to do and verify that your rules and things are correct.
00:00
It's still going to log everything
00:00
so you can see if things are set incorrectly.
00:00
It's really useful for auditing and troubleshooting.
00:00
It's sometimes occasionally you
00:00
set things to be permissive just to
00:00
make sure that SELinux isn't causing issues.
00:00
Enforcing the last mode that we're going to
00:00
talk about is the one where it's doing everything,
00:00
is going to perform access checks and block the subject
00:00
access if that subject doesn't
00:00
have access to the object via the contexts label.
00:00
The SELinux mode can be seen
00:00
by running the getenforce command, like I said.
00:00
In this case, it's run
00:00
getenforce and it tells you that it's enforcing.
00:00
With that, in this lesson,
00:00
we covered the purpose of SELinux.
00:00
We talked about how SELinux
00:00
is implemented and then we talked about
00:00
using the getenforce command to view the SELinux mode.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next