Please enable JavaScript.
Coggle requires JavaScript to display documents.
🔐 13 SELinux (Security-Enhanced Linux) Enterprise Master Map - Coggle…
🔐 13 SELinux (Security-Enhanced Linux) Enterprise Master Map
SELinux (Security-Enhanced Linux) Introduction
1.1 Full Form
SELinux = Security-Enhanced Linux
1.2 What is SELinux?
SELinux is a Linux security mechanism that provides Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
A security model where the operating system decides access permissions
Users cannot override security decisions
Traditional Linux Security Model
Called Discretionary Access Control (DAC)
DAC = Discretionary Access Control
Based on:
User ownership
Group ownership
File permissions
Example:
ls -l /etc/passwd
Output:
-rw-r--r-- root root /etc/passwd
Owner permissions
Group permissions
Other user permissions
SELinux adds another security layer above normal Linux permissions
Why SELinux Exists
2.1 Problem Without SELinux
Traditional Linux permissions:
root user has unlimited access
If attacker compromises:
Apache Web Server
Nginx Web Server
Database Server
Attacker may access:
System files
User data
Configuration files
2.2 SELinux Security Goal
Limit damage after compromise
Example:
Apache vulnerability discovered
Attacker controls Apache process
Without SELinux:
Apache can read:
/etc/passwd
Application secrets
Database files
With SELinux:
Apache allowed only:
Web directories
Required ports
Required files
Everything else blocked
SELinux Internal Architecture
3.1 Linux Security Components
Linux Kernel
Kernel
Core part of Linux operating system
SELinux is integrated inside Linux Kernel
3.2 Security Server
SELinux Security Server
Component inside kernel
Makes access decisions
3.3 Access Vector Cache (AVC)
AVC = Access Vector Cache
Purpose:
Stores previous SELinux decisions
Improves performance
Example:
Apache requests file access
SELinux checks policy
Decision stored in AVC
3.4 Linux Security Module (LSM)
LSM = Linux Security Module
Framework inside Linux kernel
Allows security systems:
SELinux
AppArmor
to control access
SELinux Security Concepts
4.1 Subject
Subject means:
Process requesting access
Examples:
Apache process
SSH service
Docker container
4.2 Object
Object means:
Resource being accessed
Examples:
File
Directory
Network port
Device
4.3 Policy
Policy defines:
Who can access what
Example:
Apache can read website files
Apache cannot read private files
4.4 Context
SELinux Context
Security label attached to:
Files
Processes
Ports
Example:
ls -Z /var/www/html
Output:
system_u:object_r:httpd_sys_content_t:s0 index.html
SELinux Context Explained
Format:
user:role:type:level
Example:
system_u:object_r:httpd_sys_content_t:s0
5.1 SELinux User
system_u
Defines SELinux user identity
5.2 SELinux Role
object_r
Defines role
5.3 SELinux Type
httpd_sys_content_t
Most important part
Called:
Type Enforcement
5.4 Security Level
s0
Used by:
Multi-Level Security (MLS)
MLS = Multi-Level Security
SELinux Modes
6.1 Enforcing Mode
SELinux actively blocks unauthorized access
Check:
getenforce
Output:
Enforcing
6.2 Permissive Mode
SELinux allows access
Logs violations only
Command:
setenforce 0
6.3 Disabled Mode
SELinux completely turned off
Configuration:
/etc/selinux/config
SELinux Configuration Files
7.1 Main Configuration
/etc/selinux/config
Example:
SELINUX=enforcing
SELINUXTYPE=targeted
7.2 SELinux Policy Location
/etc/selinux/
Contains:
Policy files
Configuration
7.3 SELinux Database
/etc/selinux/targeted/
Contains:
Active SELinux policy
SELinux Policies
8.1 Targeted Policy
Most common enterprise policy
Protects:
Network services
Examples:
Apache
SSH
DNS
Database
8.2 MLS Policy
Multi-Level Security policy
Used in:
Military environments
Government systems
8.3 Minimum Policy
Small policy for limited systems
SELinux Commands
9.1 Check SELinux Status
sestatus
Shows:
SELinux status
Mode
Policy type
9.2 Check Current Mode
getenforce
9.3 Change Mode Temporarily
setenforce 1
Enable enforcing
setenforce 0
Enable permissive
9.4 View SELinux Context
ls -Z
Example:
ls -Z /var/www/html
9.5 Change File Context
chcon
Example:
chcon -t httpd_sys_content_t index.html
9.6 Restore Default Context
restorecon
Example:
restorecon -Rv /var/www/html
9.7 Manage SELinux Rules
semanage
Example:
semanage port -l
9.8 View SELinux Logs
ausearch
Example:
ausearch -m AVC
AVC
Access Vector Cache denial message
9.9 Generate Policy
audit2allow
Example:
ausearch -m AVC | audit2allow -M custom_policy
SELinux File Paths Enterprise
10.1 Apache
Website files:
/var/www/html/
Configuration:
/etc/httpd/
Logs:
/var/log/httpd/
SELinux type:
httpd_sys_content_t
10.2 Docker
Docker directory:
/var/lib/docker/
Contains:
Images
Containers
Volumes
Docker daemon configuration:
/etc/docker/daemon.json
Docker socket:
/run/docker.sock
Socket purpose:
Communication between:
Docker client
Docker daemon
10.3 SSH
Configuration:
/etc/ssh/
Logs:
/var/log/secure
SELinux and Docker Enterprise
Docker Problem:
Container escape risk
SELinux Protection:
Container process receives label
Example:
container_t
Prevents:
Access host filesystem
Unauthorized device access
Check Docker SELinux labels:
ps -eZ
SELinux Enterprise Scenarios
Scenario 1:
Apache hacked
Without SELinux:
Attacker reads database password
With SELinux:
Apache restricted
Scenario 2:
Docker container compromise
SELinux prevents:
Host access
Scenario 3:
Database security
MariaDB only accesses:
Database directories
Troubleshooting SELinux
Problem:
Apache gives Permission Denied
Step 1:
Check logs
ausearch -m AVC
Step 2:
Check context
ls -Z /var/www/html
Step 3:
Restore context
restorecon -Rv /var/www/html
Step 4:
Check boolean
getsebool -a
Step 5:
Enable required permission
setsebool -P httpd_can_network_connect on
SELinux Booleans
Boolean
Switch to enable or disable security features
View:
getsebool -a
Example:
Allow Apache network connection:
setsebool -P httpd_can_network_connect on
Enterprise Security Best Practices
Never disable SELinux in production
Keep:
SELINUX=enforcing
Use:
restorecon
Use:
semanage
Monitor:
AVC logs
Create custom policies carefully
Follow least privilege principle
Interview Questions
Q1:
What is SELinux?
Answer:
Security-Enhanced Linux provides Mandatory Access Control inside Linux kernel.
Q2:
Difference between DAC and MAC?
DAC:
User controls permissions
MAC:
System controls permissions
Q3:
What are SELinux contexts?
Answer:
Security labels assigned to files, processes and ports.
Q4:
What is enforcing mode?
Answer:
SELinux blocks unauthorized actions.
Q5:
How to troubleshoot SELinux denial?
Answer:
Check AVC logs using ausearch and restore correct contexts.
Q6:
What is audit2allow?
Answer:
Tool to generate SELinux policy rules from denied actions.
Production Administrator Workflow
New Application Deployment
Step 1:
Install application
Step 2:
Check SELinux denial
Step 3:
Assign correct context
Step 4:
Configure boolean
Step 5:
Test application
Step 6:
Monitor audit logs
Final Enterprise Understanding
Normal Linux Permission:
User + Group + Others
SELinux:
User + Role + Type + Policy
Security Layers:
File Permission
+
Firewall
+
SELinux
+
Application Security
Result:
Defense in Depth Security Architecture