SELinux (Security-Enhanced Linux)
SELinux, or Security-Enhanced Linux, is a part of the Linux security kernel that acts as a protective agent on servers. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. MAC is a higher level of access control than the standard discretionary access control (DAC), and prevents security breaches in the system by only processing necessary files that the administrator pre-approves.
SELinux was initially released as a collaborative between Red Hat and the National Security Agency. SELinux receives periodic updates and additions as new Linux distributions are released. The SELinux kernel separates policy and decisions inside the kernel to distribute levels of protection and prevent a total security breach.
SELinux acts under the least-privilege model. SELinux only grants access if the administrator writes a specific policy to do so.
There are three modes of SELinux: Enforcing, Permissive and Disabled.
- Enforcing mode is the default mode at installation of SELinux. It will enforce the policies on the system, deny access and log actions.
- Permissive mode is the most commonly used mode for troubleshooting SELinux. In this mode, SELinux enables but does not enforce security policies. Also, this means that actions will result in a warning and log for the system administrator.
- Disabled mode means that SELinux is turned off and the security policies do not protect the server.
App Armor vs. SELinux
SELinux's main competitor, AppArmor, is available on SUSE Linux Enterprise Server, openSUSE and other platforms. While SELinux uses the type enforcement system to provide security on the servers, AppArmor does not assign types and instead uses configuration files to grant, restrict and deny access.
SELinux in RHEL 7.3
In Red Hat Enteprise Linux (RHEL) 7.3, Red Hat significantly improved SELinux through enhanced administrator policy control. Admins can now create a custom module with a higher priority than the original system module. This new feature allows IT to override the system module and place customizable features that take precedence on the server.