1.6.1 Configure SELinux

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. Under SELinux, every process and every object (files, sockets, pipes) on the system is assigned a security context, a label that includes detailed type information about the object. The kernel allows processes to access objects only if that access is explicitly allowed by the policy in effect. The policy defines transitions, so that a user can be allowed to run software, but the software can run under a different context than the user's default. This automatically limits the damage that the software can do to files accessible by the calling user. The user does not need to take any action to gain this benefit. For an action to occur, both the traditional DAC permissions must be satisfied as well as the SELinux MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, SELinux rules can only make a system's permissions more restrictive and secure. SELinux requires a complex policy to allow all the actions required of a system under normal operation. Three such policies have been designed for use with RHEL7 and are included with the system: targeted, strict, and mls. These are described as follows:

• targeted: consists mostly of Type Enforcement (TE) rules, and a small number of Role-Based Access Control (RBAC) rules. Targeted restricts the actions of many types of programs, but leaves interactive users largely unaffected.
• strict: also uses TE and RBAC rules, but on more programs and more aggressively.
• mls: implements Multi-Level Security (MLS), which introduces even more kinds of labels (sensitivity and category) and rules that govern access based on these.

This section provides guidance for the configuration of the targeted policy.

This section only applies if SELinux is in use on the system. Recommendations for AppArmor are included in the Distribution Independent Linux benchmark, and additional Mandatory Access Control systems exist beyond these two.

NSA SELinux resources:

• http://www.nsa.gov/research/selinux
• http://www.nsa.gov/research/selinux/list.shtml

Fedora SELinux resources:

• FAQ: http://docs.fedoraproject.org/selinux-faq
• User Guide: http://docs.fedoraproject.org/selinux-user-guide
• Managing Services Guide: http://docs.fedoraproject.org/selinux-managing-confined-services-guide

SELinux Project web page and wiki:

• http://www.selinuxproject.org

Chapters 43-45 of Red Hat Enterprise Linux 5: Deployment Guide (Frank Mayer, Karl MacMillan and David Caplan), SELinux by Example: Using Security Enhanced Linux (Prentice Hall, August 6, 2006)