Created: 2005-11-04 by BenCollins
- Packages: selinux, selinux-basics, selinux-policy-*, libselinux1-*, libsepol1-*, libsemanage1-*, policycoreutils, checkpolicy, setools
SELinux is a mandatory access control (MAC) system that can be used to protect services and contain security exploits found in system daemons or user applications. SELinux constrains services to a least-privilege security domain by way of a security policy, customized by administrators, that provides fine-grain control over information flow.
SELinux was initially a research project by the US National Security agency, but since then it has gained many contributors throughout the world. It uses the Linux Security Modules framework to implement Mandatory Access Control and Role-Based Access Control (with Type Enforcement (r)), in detriment of the old Discretionary Access Control used by standard *nix systems (Linux as well). It controls access to files, sockets, devices, and other object classes. The security policy is written in a flexible configuration language. It defines explicit rules about what subjects (users, programs) can access which objects (files, sockets, devices). All other information flows are denied by the SELinux system.
SELinux is now available in Hardy Heron. See that page for installation instructions.
SELinux uses security labels on files that need to be backed up and restored. If a program creates a file, then the possibility exists that the file does not get the right security label. restorecon can be used to fix this; however this is not an automatic action.
In an upgrade from a non-SELinux Ubuntu, no files will have security labels. As part of the SELinux installation, all of the files on the system will be labeled.
A functional SELinux setup should operate transparently to the user. All intended access controls should be encoded within the security policy; unintended or malicious actions will be denied.
Two tools exist to modify and inspect the policy. The first, still under development, is setroubleshoot. It monitors the system's audit logs for denial messages and generates policy that will permit those accesses. The other is SETools, a suite of programs that assist the user in analyzing SELinux policies.
SELinux is licensed under the GPL; its libraries are either public domain or LGPL.
The best way to assist the SELinux effort is to install SELinux on your own system. Report problems that are encountered with the default Ubuntu policy to the Ubuntu hardened mailing list.
Many web sites on the Internet document using and resolving problems with SELinux:
- Hardy Heron is the first Ubuntu distribution to package a functional SELinux system. It is limited use as that it contains a policy module for a single daemon, CUPS. Thus the most important task is to provide modules for other network daemons, such as apache2 and bind9.
- Next is to either write or port from Fedora management tools. These include adding SELinux options during user and group creation, graphical interfaces to customize tunable and boolean values, and integrating SELinux directly into Ubiquity.