Hands on SELinux

Selinux was such a burden for me years ago ( and still sometimes 🙂 ). First time I worked as a sys admin, I had to deploy an apache server with its document Root mounted as an NFS partition. I spent 2 days wondering and searching why in hell my apache couldn’t access its html directory. Too stupid when you found out that there is something called SELinux that is turned on by default to restrict access to your NFS partition by Apache processes!!!!

SELinux is such a wonderful tool for hardening your system and that can get your system to the chaos if you mess with it xD xD xD.

What is SELinux?

SELinux is a built-in kernel module with a bunch of rules and decisions determining who/what has the right to access what. This is done through a labeling of the whole file system, security decisions are then results of a combination of these labels and policy rules used.

It handles access to files/objects much more meticulously than do other classic permissions, ACLs …. But read/write, owner permissions and ACL applies before SELinux rules, meaning that SELinux rules applies only when DAC permissions allow access to an object.

What do you need to know about SELinux?

Suppose you have your kernel compiled with SELinux, and your system is installed with SELinux support, here are some basics to help you get familiar with SELinux (I’m using Centos 6).

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: