Security-Enhanced Linux (SELinux) - (1)

-


What is SELinux

SELinux (Security-Enhanced Linux ) is a kernel level security mechanism.
Its main purpose is protect user data.

There are two main types of access controls.
  1. DAC - Discretionary Access Control
  2. MAC - Mandatory Access Control
 We need to control access in real production environment. We create a scope for users "what they can access or not". So we use two types of access control models. MAC and DAC. These are differ from how they give access to users.

DAC - Discretionary Access Control

It provide access control by using user identity. For an example, for particular file there will be a set of users who can access it. Give permissions to user, group and others for reading, writing and executing.  Sysadmin involve for each and every moment.
In DAC we use , ACL (Access Control List), File permissions and Special permissions .
Owner of the file can transfer information to others. DAC is not secure.
After we creating a file, system will allocate some permissions to it based on umask

 MAC - Mandatory Access Control

 When we are dealing with a great number of users, MAC make our life much easier. Because MAC provide the access control by using levels. User can access all the resources with in his level.
SELinux is a MAC
It provides kernel level security.
There are three (3) modes is SELinux.
  1. Enforced
  2. Permissive
  3. Disabled 

Use this command for retrieving  that modes.
Result will be,

We can use following command to see what is current SELinux mode.
There is a SELinux status : enabled and Current mode: enforcing. So that is the mode .
Lets see what are that three modes.

 Enforced Mode 

It control the access using SELinux policy rules and also event is logged into audit log.
Log files are in /vim/log/audit/audit.log 

Permissive Mode

Its only monitor and allow access. Event is logged into audit log.
Log files are in /vim/log/audit/audit.log  

Disabled Mode

SELinux disable. Any one can access.

How does it work?

How to Change SELinux mode?

We have three options/modes. Permissive , Enforced , Disabled .
Use this command then vim text editor will open.
 There is a section called SELinux = enforcing 
Now SELinux is in enforcing mode. If we want to change it to permissive mode.
SELinux = permissive then pres ESC and type :WQ to write and exit.
After that we have to reboot the system. Then only the changes will apply.
After type sestatus to check the status.

Always use /etc/sysconfig/selinux path.

A real mode example,
User said that his/her could not access the home directory. So what we can do for it?
  1. Check current SELinux status using sestatus
  2. If enforced mode change it to the permissive mode.
  3. If it does not work , there should be the problem in SELinux policy. So we need to check it.

Switching between enforced mode and permissive mode

Use setenforced [0 or 1]
You have to use either 1 or 0. 1 is for enable enforced mode and 0 is for permissive mode.
For an example, Your current mode is permissive and you need to switch to the enforced mode.
setenforced 1
 

 

Comments

Post a Comment

Thank you for your comment

Popular posts from this blog

Add Cisco Layer 2 Switch in GNS3 - GNS3 වලට Cisco Layer2 Switch එකක් ADD කිරීම

-
Image
අපි කලින් Blog එකෙන් කතා කළේ කොහොමද GNS3 හරියට Config කරගන්නේ කියලා. අපිට GNS3 ඕනි වෙන්නේ CCNA , CCNP වගේ Exams කරද්දී වගේම Network Engineer කෙනෙක්  වෙලා තමන්ගේ Experiments කරන්න ලේසිම විදිහක් තමා GNS3 කියන්නේ. අපිට Practice වෙන්න Cisco Layer 2 Switch එකක් ගන්න ගියොත් $500+ වගේ වෙනවා. ඇයි ඉතින් නොමිලේ කරගන්න තියෙද්දී සල්ලි ගෙවන්නේ.   අපි Switch එකක් ගත්තත් Router එකක් ගත්තත් ඒවාට වෙන වෙනම Operating Systems තියෙනවා. ඒ Operating System එක දුවන්නේ Hardware ගොඩක් උඩ. එන්න ඒ Operating System එකට කියන්නේ IOS එක කියලා. CCNA,CCNP Practical කරන්න අපිට Layer 2 Switches, Layer 3 Switches, Routers වගේ ගොඩාක් Devices ඕනි වෙනවා. දැන් බලමු කොහොමද Layer 2 Switch එකක් Add කරගන්නේ කියලා. කතාන්දරය පටන් ගන්න කලින් මෙන්න මේ ටික Ok ද බලන්න. GNS3  GNS3 VM Cisco Layer 2 Switch IOS  මෙතැනින් මුල දෙක අවුලක් නෑනේ. අවුල තමා Switch IOS Image එක. මේක ගන්න ක්‍රම 2ක්  තියනවා. හරි පාර හා හොර පාර. Recommend කරන්නේ හරි පාර. ඒ කියන්නේ Cisco එකේ Account එකක් හදාගෙන එකෙන් Download ...
Read more

Schedule Tasking using "crontab" and "at"

-
Image
Schedule Tasking Why we need " Scheduling " ? Schedule makes our life more comfortable. In day to day life or even our life time we have to follow a schedule (may be not). In the college or school there was a time table. Assume a day that all teachers are came to school (In my point of view that was the worst day ). So teachers were allocated a time period for conducting their lesson. According to that schedule they come to the class and do the lesson. No one need to go and remember it to them. Somehow, in a particular time period some action happen without any support of third parties. In a computing field, specially system administration field "Schedule Tasking" is a major component. In this session  gonna tell you about schedule tasking in redhat. What are the main scheduled works (jobs) ?  Works which are done once              Works which are need to do in consecutive time period   So  first take ...
Read more

User Management (1) - RHCSA

-
Image
User Management In this blog we are briefly discussing about user management. There are 3 main parts. Add user Delete user Modify user Who is the user? A person who uses the system. Users haven't expert knowledge about the system. He or she can do what they are assigned to.  We assign that limitations to user account. What is a User account? User account is a logical representation of a real user. We cannot assign limitations to the person who connect with the system in physically.  To full fill that gap users should log in to the system will be done through a user account. So we assign limitations to particular user account. (Scope) Prerequisites  /etc/passwd contains information about local users. /etc/shadow is a user password database.  Every user has uid (user id) and gid (group id) In some cases uid and gid are same But we can add different uid and gid manually              To retriev...
Read more