ServersTip of the Trade: SELinux

Tip of the Trade: SELinux

Carla Schroder
By Carla Schroder
Servers

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.




SELinux (Security Enhanced Linux) offers a more restrictive access control mechanism than normal Unix permissions. The Unix way is called Discretionary Access Control (DAC). File owners, even unprivileged users, have enough control over the files they own to grant unsafe permissions, such as making them world-executable or writable. The superuser has no restrictions at all, which is why privilege escalation is the primary goal of an intruder.

SELinux makes it easy to prevent privilege escalation, and it’s not as difficult to use as you probably think.

Discuss this article in the ServerWatch discussion forum

Need a Definition?

SELinux uses Mandatory Access Controls. Users cannot override these, so it places a great big roadblock in the path of privilege escalation. This makes it a great security tool for servers that face untrusted networks, and perhaps for locking down corporate desktop installations, to prevent user mischiefs.

While this all sounds wonderful, SELinux has acquired the reputation of being too difficult for all but the most security-conscious server administrators. Thus, rather than resolving problems with using it, admins turn it off. Any security device, no matter how wonderful, is no stronger than the person using it. If that person doesn’t understand how to make it work correctly, it’s not a good security device for them. But is SELinux really so hard? Let’s take a look.

Most Linux distributions now offer SELinux-enabled kernels. Red Hat Linux and Fedora Linux have led the way with SELinux; it’s included in the default installation, and the user is presented with options to enable or disable it during installation. Red Hat put a lot of work into designing a default policy that protects all kinds of services and applications, so much of the complexity is already handled. Both Red Hat and Fedora also include some nice management utilities, making SELinux even easier to use. You don’t need to be a super-guru to set up a workable SELinux policy, just an ordinary, diligent server administrator unafraid to read a bit of documentation.

A great way to get started understanding SELinux is to set up the latest release of Fedora Linux on a test system. Fedora includes many nice management tools. Be sure to study the documentation as well: the SELinux FAQ and the SELinux Wiki.

Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Latest Posts

Related Stories

ServerWatch is an established resource for technology buyers looking to increase or improve their data center infrastructure. ServerWatch’s reviews, comparisons, tutorials, and guides help readers make informed purchase decisions around the hardware, software, security, management, and monitoring tools they use to innovate for employees and customers.

Advertisers

Advertise with TechnologyAdvice on ServerWatch and our other data and technology-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.