selinux
Manage SELinux security policies
SYNOPSIS
The term "selinux" refers to a Linux kernel security module, not a standalone executable command. Therefore, there is no direct command synopsis for "selinux" itself. Interaction and management of the SELinux system are performed using a suite of dedicated utilities. Common examples include:
getenforce
setenforce [ Enforcing | Permissive | 0 | 1 ]
sestatus [ -v | -b | -f ]
semanage { login | user | port | fcontext | boolean | permissive | dontaudit } ...
chcon [ OPTION ]... CONTEXT FILE... | -R [ OPTION ]... FILE...
restorecon [ OPTION ]... FILE...
DESCRIPTION
The term "selinux" (Security-Enhanced Linux) refers to a Linux kernel security module, not a single standalone command. It is a mandatory access control (MAC) system that provides an additional layer of security on top of the traditional discretionary access control (DAC) model. Unlike DAC, where users can control access to their own resources, SELinux policies enforce system-wide access rules, regardless of user permissions.
SELinux operates by labeling every file, process, port, and other system object with a security context. Policy rules then define which interactions are allowed between these contexts. This fine-grained control helps to confine services, protect against privilege escalation, and mitigate the impact of compromised applications, even if they achieve root privileges.
Management and interaction with the SELinux system are performed through a collection of specialized commands, each designed for a specific task (e.g., checking status, changing modes, managing contexts, or querying policy).
CAVEATS
Complexity: SELinux has a steep learning curve due to its intricate policy language and conceptual model. Misunderstanding can lead to functional breakage.
Debugging: Policy violations are logged to the audit log (typically /var/log/audit/audit.log
). Interpreting these logs and creating appropriate policy rules requires specific tools and knowledge.
Distribution Differences: While core concepts are consistent, the default policies and command implementations can vary slightly between Linux distributions (e.g., Red Hat-based vs. Debian-based systems).
Performance Overhead: Although generally negligible on modern systems, SELinux policy enforcement can introduce a slight performance overhead in some I/O-intensive scenarios.
<I>OPERATIONAL MODES</I>
SELinux can operate in three main modes:
Enforcing: SELinux policy is fully active and violations are blocked and logged. This is the most secure mode.
Permissive: SELinux policy is active, but violations are only logged and not blocked. This mode is useful for troubleshooting and policy development, as it allows identification of issues without hindering system operation.
Disabled: SELinux is turned off and no policy is loaded. This is generally discouraged for production systems as it removes a significant security layer.
<I>SECURITY CONTEXTS</I>
Every subject (process) and object (file, port, device) in an SELinux-enabled system is assigned a security context, typically represented as a string with four or more fields:user:role:type:sensitivity[:category]
User: An SELinux user, mapping to a Linux user (e.g., system_u
, unconfined_u
).
Role: Defines the role a user or process can play (e.g., object_r
for files, system_r
for processes).
Type: The most critical component, defining the SELinux type of an object or domain of a process (e.g., httpd_t
for an Apache process, httpd_sys_content_t
for web content). Policy rules are primarily based on types.
Sensitivity/Category: Used for Multi-Level Security (MLS) or Multi-Category Security (MCS) and typically represented as s0
or s0:c0.c1023
.
HISTORY
SELinux was originally developed by the National Security Agency (NSA) of the United States. It was released to the open-source community in 2000 and subsequently integrated into the mainstream Linux kernel in version 2.6, released in 2003. Its primary adoption as a default security mechanism is notably in Red Hat Enterprise Linux, Fedora, and CentOS distributions, where it has become a cornerstone of their security posture.
SEE ALSO
getenforce(8), setenforce(8), sestatus(8), semanage(8), chcon(1), restorecon(8), audit2allow(1), seinfo(8), sesearch(8)