What is SELinux used for?-Linux Operation and Maintenance-php.cn

The main function of SELinux is to minimize the resources accessible to the service process in the system (the principle of least privilege), and to limit malicious code activities in the Linux system to the maximum extent possible. SELinux is a security enhancement function module deployed in Linux systems. It provides improved security for Linux systems by using MAC (mandatory access control) for process and file resources.

What is SELinux used for?

#The operating environment of this tutorial: linux7.3 system, Dell G3 computer.

What is SELinux

Security-Enhanced Linux (Security-Enhanced Linux) is referred to as SELinux. It is a Linux kernel module and a Linux A security subsystem.

SELinux was primarily developed by the U.S. National Security Agency. Linux kernels of versions 2.6 and above have integrated SELinux modules.

The structure and configuration of SELinux are very complex, and there are a lot of conceptual things, which are difficult to learn. Many Linux system administrators turn off SELinux because they find it troublesome.

What is the use of SELinux

The main function of SELinux is to minimize the resources accessible to the service process in the system (the principle of least privilege) .

We know that traditional Linux systems use DAC (discretionary access control) for security, while SELinux is a security enhancement function module deployed in Linux systems. It uses MAC (MAC) for process and file resources. Mandatory access control) provides improved security for Linux systems.

It should be noted that the MAC of SELinux will not completely replace the DAC. On the contrary, it is an additional security layer for Linux system security. In other words, when using SELinux, the DAC is still is used, and will be used first. If access is allowed, the SELinux policy will be used; otherwise, if the DAC rule denies access, there is no need to use the SELinux policy at all.

For example, if a user attempts to perform an operation on a file without execute permission (rw-), traditional DAC rules will deny the user access, so there is no need to use SELinux policies.

Compared with the traditional Linux DAC security control method, SELinux has many advantages, such as:

It uses the MAC control method, which is considered the strongest Access control method;
It gives the subject (user or process) the minimum access privileges, which means that each subject is only given what is necessary to complete the relevant tasks. A limited set of permissions. By granting minimal access privileges, you can prevent the subject from adversely affecting other users or processes;
In the SELinux management process, each process has its own running area (called a domain) , each process only runs in its own domain and cannot access other processes and files unless special permissions are granted.
SELinux can be tuned to Permissive mode, which allows viewing the impressions produced by executing SELinux on a system. In Permissive mode, SELinux still logs what it considers security vulnerabilities, but does not prevent them.

In fact, the most direct way to understand the advantages of SELinux is to see what happens when SELinux is not running on the Linux system.

For example, the web server daemon (httd) is listening to what is happening on a certain port, and then in comes a simple request from a web browser to view the home page. Since it will not be constrained by SELinux, after the httpd daemon hears the request, it can complete the following things:

According to the rwx permissions of the relevant owner and group, it can access any file or Directory;
Complete activities that pose security risks, such as allowing file uploads or changing system displays;
can listen for incoming requests on any port .

But on a SELinux-bound system, the httpd daemon is more tightly controlled. Still using the example above, httped can only listen on ports that SELinux allows it to listen on. SELinux also prevents httpd from accessing any files without a properly set security context and denies unsafe activities that are not explicitly enabled in SELinux.

So, in essence, SELinux maximally limits the activity of malicious code in Linux systems.

Related recommendations: "Linux Video Tutorial"

The above is the detailed content of What is SELinux used for?. For more information, please follow other related articles on the PHP Chinese website!