The “SE” in SELinux stands for Security-Enhanced. Linux is basically an operating system like Windows, Android, and iOS. However, rather than being developed by a single company, Linux has always been an open-source project. The source code of the Linux kernel – the “core” of Linux – is freely available to developers both for non-profit and commercial projects. Based on the Linux kernel, several Linux-based operating systems have been created. These are referred to as “distributions” and some of the most well-known are Ubuntu, Debian, and Fedora.
The code of the Linux kernel is constantly being developed by companies, volunteers, and non-profit organizations. Security-Enhanced Linux is an extension of the Linux kernel and is available as a standalone security module. It was officially integrated in the Linux kernel in 2003. Some Linux distributions offer SELinux as standard, but you can easily disable the module if you don’t need it. SELinux gives administrators greater control over the processes running on their system. Any processes that are not considered essential are blocked. This greatly reduces the risks associated with security vulnerabilities in user programs.
Even if you trust a program, it can still be a good idea to restrict access rights, because if the program were to be hijacked by a third party this could have very serious consequences indeed. If programs infected by malware have access to all of the data and processes on a system, they can do a lot of damage. By restricting access, SELinux limits the potential for damage.
The special SELinux security architecture is based on the principle of Mandatory Access Control (MAC). Unlike the standard Linux kernel, SELinux only allows access to operating system processes and files if this is absolutely essential. The aim is to ensure data confidentiality and integrity by implementing a strict access control strategy and corresponding security policies. With SELinux, the operating system and the user programs are clearly separated from one another.
The standard Linux setup uses Discretionary Access Control (DAC). With this type of mechanism, if users and applications have the necessary privileges, they generally have unlimited access to operating system data and processes. When Mandatory Access Control is implemented, as in SELinux, an administrator uses precisely defined security policies to define additional attributes that determine the conditions and contexts in which a user may access certain operating system processes or files. If the conditions or contexts (i.e. attributes) have not been approved, access is denied.
For the purposes of control in SELinux, the administrator assigns the following labels:
These labels can be assigned for every process and file and then integrated in the defined security policies. For example, an application might only be granted access to folders that have a specific label. The process of checking the security policies is referred to as SELinux enforcement.
SELinux hinders or prevents the abuse of user rights that can occur when user programs have security flaws. The operating system is, therefore, well-protected. Linux distributors offer the SELinux module with various different policy packages and corresponding security policies, which simplifies configuration of the security layer. Authorized administrators can also define the security policies themselves.
Although SELinux gives administrators far more control over processes and systems, it does not really help them to resolve problems. Whenever SELinux blocks access, it issues an error message, but these messages are often very vague, which makes troubleshooting rather difficult. SELinux is also a relatively complex module. Many administrators feel that dealing with the security policies and defining attributes is too complicated or requires too much effort. Moreover, implementing SELinux can have a slightly negative effect on the performance of the operating system.
SELinux is a very powerful security tool, but if you want to use it you need to be prepared to put in some extra work. The software will only be effective if you take the time to configure everything correctly – if you only partially set it up, you won’t reap the advantages. Nonetheless, in professional environments where sensitive data is handled, using SELinux is highly recommended.
SELinux was developed mainly by the United States National Security Agency (NSA) and Linux distributor Red Hat. The first operating systems to fully support SELinux were Red Hat Enterprise Linux 4 and the Fedora distribution sponsored by Red Hat. In addition to Red Hat and Fedora, Gentoo Hardened Linux also offers relatively comprehensive support for SELinux. Those looking for an alternative to SELinux could try the AppArmor security module which is primarily supported by distributions such as openSUSE and Debian-based platforms.
If you operate or rent your own server, it is your responsibility to protect it against failures and external access. You can immediately begin to set the foundation for this when configuring the server, if you have the necessary administrative rights. The correct settings can work wonders, especially with encrypted remote connections via SSH protocol, and greatly increase security.
Under Linux, all actions that you can carry out with the mouse and window system via the graphical user interface can also be performed using program calls in the terminal – provided you know the appropriate command and how to use it according to the correct syntax. To make working in the terminal easier, we provide you with an overview of basic Linux commands with detailed descriptions and...
Most PC users are only familiar with Windows in its various versions, but there are alternative operating systems on the market. Linux distributions offer many advantages compared to Microsoft’s product. Nonetheless, there are many things to take into consideration before switching. So, who should you fight for in the great battle – Linux or Windows?
Organizations restrict access permissions in systems to protect sensitive data from unauthorized access and modification. However, assigning access permissions to users individually is a high-maintenance and error-prone process. In the case of role-based access control (RBAC), permissions are assigned based on previously assigned roles. Here, we explain how role-based access control works.
From Ubuntu to Debian, there is a wide range of Linux distributions to choose from. In 2015, Intel introduced another alternative which is specially designed for Intel hardware: the cloud operating system Clear Linux. Since then, Clear Linux OS has become a popular choice as a desktop operating system and for use with hardware from other manufacturers. Here, we provide a more detailed introduction...
Provide powerful and reliable service to your clients with a web hosting package from IONOS.
View packages
