SELinux FAQ

= Frequently Asked Questions =

What is SELinux?
SE(Security Enhanced) Linux is a security feature in the Linux kernel and enabled by default in Fedora that provides more fine grained access control compared to traditional file permissions. A centralized policy determines which software can access what resources. For example, network services can be confined to a particular port and Apache web server can be restricted to be able to connect to only 80 by default.

Where can I go to provide feedback or ask for help?
You can provide feedback via http://bugzilla.redhat.com for bugs and issues and ask for help and clarify doubts in fedora-selinux mailing list at https://lists.fedoraproject.org/mailman/listinfo/selinux

Who developed SELinux?
NSA (National Security Agency) developed SELinux initially. It has partnered with Red Hat to continue development and carry out integration of SELinux into Fedora and Red Hat Enterprise Linux. It is not specific to Red Hat however and other Linux distributions and other operating systems have adopted SELinux and similar frameworks.

Is it a firewall?
Though often confused with one, SELinux is not a firewall. A firewall controls the flow of traffic to and from a computer to the network. SELinux can confine access of programs within a computer and hence can be conceptually thought of a internal firewall between programs. Security works best when multiple layers are used and SELinux is complimentary to a firewall and other security features used in Fedora.

Is it useful on a desktop?
Yes. SELinux policies in Fedora were initially focused on network facing services. However several dozens of desktop software including Firefox, HAL, D-Bus etc are protected by default using SELinux policies in current releases of Fedora.

How do I find out if SELinux is enabled on my system?
Run the sestatus command to find out the current status of SELinux. SELinux can be in three different modes


 * Enabled: SELinux is enabled and SELinux policy is enforced
 * Disabled: SELinux is disabled and has no effect on your system
 * Permissive: SELinux is enabled but but merely logs warnings instead of enforcing access. This mode is useful for troubleshooting.

How do I find out whether SELinux is denying access for any software?
When SELinux prevents any software from accessing a particular resource, for example when Firefox is denied access to /etc/shadow, it generates a message and logs it in /var/log/audit/audit.log or /var/log/messages if audit service is disabled. If the log contains "avc:denied" that means it is a SELinux policy denial. Note that you would need administrator privileges (root access) on your system to be able to read this log file. An example denial would look like

type=AVC msg=audit(1214965667.121:635): avc: denied  { unix_read unix_write } for  pid=15524 comm="npviewer.bin" key=59918130 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s

How do I understand SELinux denials?
setroubleshoot is a utility that parses the messages from SELinux and provides comprehensive help on what it means and possible actions to take. It has both a graphical utility for your desktop and a server side component that can send email alerts. It is installed by default on Fedora. If you wish to install it on your system, use Add/Remove programs or run the following command as root user.

yum install setroubleshoot

How do I enable or disable SELinux ?
SELinux is enabled by default in Fedora. SELinux policy has booleans that can be used to disable SELinux for specific services or you can disable SELinux entirely. If you want to disable SELinux entirely, you can use system-config-selinux (part of policycoreutils-gui package) to do this graphically or set the value of SELINUX in /etc/selinux/config to disabled. However it is highly recommended that you set it to permissive instead since it will show you the denials and setting it to permissive does not requiring relabeling the entire system when you enable it again. You can pass selinux=0 in the installation boot prompt to disable SELinux during installation or refer to kickstart documentation for automated installations.

What are SELinux booleans ?
SELinux booleans enable runtime customization of the SELinux policy. SELinux policy in Fedora has several booleans that allow you to quickly toggle a particular change in the policy. For example, httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled. system-config-selinux offers a graphical utility to manage SELinux booleans. You can get a comprehensive list of SELinux booleans in the current policy using the getsebool -a command. You can also change the value of a boolean at runtime using the setsebool or togglesebool command. Inorder for the change in booleans to be permanent instead of for just the current session, you need to pass -P paramater while setting the value of a boolean, for example, running the following command as root user will disable the ability for httpd web server to run cgi scripts.

setsebool -P httpd_enable_cgi=0

What is mandatory access control ?
SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Discretionary access control (DAC) is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own. Mandatory access control (MAC) provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user.

In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system.

A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity.

MAC under SELinux allows you to provide granular permissions for all subjects (users, programs, processes) and objects (files, devices). In practice, think of subjects as processes, and objects as the target of a process operation. You can safely grant a process only the permissions it needs to perform its function, and no more.

The SELinux implementation uses role-based access control (RBAC), which provides abstracted user-level control based on roles, and Type Enforcement® (TE). TE uses a table, or matrix to handle access controls, enforcing policy rules based on the types of processes and objects. Process types are called domains, and a cross-reference on the matrix of the process's domain and the object's type defines their interaction. This system provides extremely granular control for actors in a Linux system.

How can I back up files from an SELinux file system?
Use the star utility, which supports the extended attributes that store the security context labels. Specify the -xattr and -H=exustar options when creating archives.

ls -Z /var/log/maillog -rw--- root   root    system_u:object_r:var_log_t   /var/log/maillog cd /var/log star -xattr -H=exustar -c -f maillog.star ./maillog*

Absolute paths can overwrite existing data

If you use an absolute path, such as /var/log/maillog, when you unpack the archive with star -c -f, the files are restored on the same path they were archived with. The maillog file attempts to write to /var/log/maillog. You should received a warning from star if the files about to be overwritten have a later date, but you cannot rely on this behavior.

Consider carefully how you construct your archiving argument.

What is the performance impact of SELinux?
This is a variable that is hard to measure, and is heavily dependent on the tuning and usage of the system running SELinux. For desktop usage, there should be no measurable impact. If you are interested in doing more precise benchmarks, post to fedora-selinux list.

Which Linux distributions have adopted SELinux?
Fedora and Fedora derived distributions such as Red Hat Enterprise Linux have been leading the effort. However several other Linux distirbutions such as Debian, Gentoo, Ubuntu etc have adopted SELinux too. A comprehensive list is available at http://selinux.sf.net

What about other operating systems?
SELinux is based on the flask security model which has been adopted by other operating systems such as FreeBSD and OpenSolaris


 * http://www.trustedbsd.org/sebsd.html
 * http://www.sedarwin.org/
 * http://www.opensolaris.org/os/project/fmac/

Where can I find more information?

 * http://fedoraproject.org/wiki/SELinux has links to more documentation and other references.
 * http://www.coker.com.au/selinux/play.html for an effective SE Linux machine to play and learn from.