What is SELinux?

The “SE” in SELinux stands for Security-Enhanced. Linux is basically an operating system like Windows, Android, and iOS. However, rather than being developed by a single company, Linux has always been an open-source project. The source code of the Linux kernel – the “core” of Linux – is freely available to developers both for non-profit and commercial projects. Based on the Linux kernel, several Linux-based operating systems have been created. These are referred to as “distributions” and some of the most well-known are Ubuntu, Debian, and Fedora.

The code of the Linux kernel is constantly being developed by companies, volunteers, and non-profit organizations. Security-Enhanced Linux is an extension of the Linux kernel and is available as a standalone security module. It was officially integrated in the Linux kernel in 2003. Some Linux distributions offer SELinux as standard, but you can easily disable the module if you don’t need it. SELinux gives administrators greater control over the processes running on their system. Any processes that are not considered essential are blocked. This greatly reduces the risks associated with security vulnerabilities in user programs.

Even if you trust a program, it can still be a good idea to restrict access rights, because if the program were to be hijacked by a third party this could have very serious consequences indeed. If programs infected by malware have access to all of the data and processes on a system, they can do a lot of damage. By restricting access, SELinux limits the potential for damage.

The special SELinux security architecture is based on the principle of Mandatory Access Control (MAC). Unlike the standard Linux kernel, SELinux only allows access to operating system processes and files if this is absolutely essential. The aim is to ensure data confidentiality and integrity by implementing a strict access control strategy and corresponding security policies. With SELinux, the operating system and the user programs are clearly separated from one another.

The standard Linux setup uses Discretionary Access Control (DAC). With this type of mechanism, if users and applications have the necessary privileges, they generally have unlimited access to operating system data and processes. When Mandatory Access Control is implemented, as in SELinux, an administrator uses precisely defined security policies to define additional attributes that determine the conditions and contexts in which a user may access certain operating system processes or files. If the conditions or contexts (i.e. attributes) have not been approved, access is denied.

For the purposes of control in SELinux, the administrator assigns the following labels:

• User
• Role
• Type
• Level

These labels can be assigned for every process and file and then integrated in the defined security policies. For example, an application might only be granted access to folders that have a specific label. The process of checking the security policies is referred to as SELinux enforcement.

SELinux hinders or prevents the abuse of user rights that can occur when user programs have security flaws. The operating system is, therefore, well-protected. Linux distributors offer the SELinux module with various different policy packages and corresponding security policies, which simplifies configuration of the security layer. Authorized administrators can also define the security policies themselves.

Although SELinux gives administrators far more control over processes and systems, it does not really help them to resolve problems. Whenever SELinux blocks access, it issues an error message, but these messages are often very vague, which makes troubleshooting rather difficult. SELinux is also a relatively complex module. Many administrators feel that dealing with the security policies and defining attributes is too complicated or requires too much effort. Moreover, implementing SELinux can have a slightly negative effect on the performance of the operating system.

SELinux was developed mainly by the United States National Security Agency (NSA) and Linux distributor Red Hat. The first operating systems to fully support SELinux were Red Hat Enterprise Linux 4 and the Fedora distribution sponsored by Red Hat. In addition to Red Hat and Fedora, Gentoo Hardened Linux also offers relatively comprehensive support for SELinux. Those looking for an alternative to SELinux could try the AppArmor security module which is primarily supported by distributions such as openSUSE and Debian-based platforms.