Selinux and Normal Linux - unix1998/technical_notes GitHub Wiki

SELinux (Security-Enhanced Linux) adds a layer of security to a Linux system by enforcing mandatory access control (MAC) policies. This contrasts with the default discretionary access control (DAC) used in standard Linux systems. Here are some key differences between a Linux system with SELinux enabled and one without:

Access Control

  1. Discretionary Access Control (DAC):

    • Un-Enabled Linux: Users and processes have control over their own resources. File and directory permissions (read, write, execute) are set by the owner, and other users can be granted or denied access at the owner's discretion.

  2. Mandatory Access Control (MAC):

    • SELinux Enabled: Access decisions are enforced by the system according to a strict policy, regardless of user permissions. Even root cannot bypass these policies.

Security Policies

  1. Policy Enforcement:
    • Un-Enabled Linux: Relies on user-defined permissions and traditional UNIX file permissions (owner, group, others) for security.
    • SELinux Enabled: Uses security policies that define how all processes and files can interact. These policies are predefined and enforce a more granular control over system resources.

Process and File Labeling

  1. Labels (Contexts):
    • Un-Enabled Linux: Files and processes do not have security labels; access control is based on file ownership and permissions.
    • SELinux Enabled: Every file, directory, and process is assigned a security context (label). These labels are used to make access control decisions.

Containment and Isolation

  1. Containment:
    • Un-Enabled Linux: Processes can generally interact with each other without restrictions beyond DAC permissions.
    • SELinux Enabled: Processes are confined based on their labels and the policies that govern them. This limits the potential damage of a compromised process.

System Compromise Mitigation

  1. Damage Limitation:
    • Un-Enabled Linux: If a process is compromised, it can potentially access and manipulate files and processes it has permission to, including those of the same user or group.
    • SELinux Enabled: Compromised processes are constrained by SELinux policies, reducing the ability to perform malicious actions.

Configuration and Management

  1. Ease of Configuration:
    • Un-Enabled Linux: Generally simpler to configure, as it relies on traditional UNIX permissions.
    • SELinux Enabled: More complex to configure and manage due to the need to understand and define SELinux policies. Tools like semanage, setsebool, and restorecon are used for management.

Enforcement Modes

  1. Modes of Operation:
    • SELinux Enabled: Has different modes:
      • Enforcing: SELinux policies are enforced, and access that does not comply with the policies is blocked.
      • Permissive: SELinux policies are not enforced, but violations are logged for auditing purposes.
      • Disabled: SELinux is turned off, and only DAC is used.

Auditing and Logging

  1. Logging:
    • Un-Enabled Linux: Standard system logs for tracking events.
    • SELinux Enabled: Provides detailed logs of access attempts and policy violations through audit logs (/var/log/audit/audit.log), allowing administrators to review and fine-tune policies.

Practical Impact

  1. System Performance:
    • Un-Enabled Linux: Typically has lower overhead since SELinux policy enforcement is not active.
    • SELinux Enabled: May introduce some performance overhead due to the additional checks performed by the SELinux policy enforcement, but this is generally minimal on modern hardware.

Use Cases

  1. Security-Intensive Environments:
    • Un-Enabled Linux: Suitable for environments where basic security measures are sufficient.
    • SELinux Enabled: Essential for environments requiring high security, such as government, financial institutions, and other sensitive operations.

In summary, SELinux significantly enhances the security of a Linux system by enforcing strict access controls and policies, thus providing better protection against unauthorized access and potential security breaches. However, it also requires careful configuration and management to balance security and functionality.