SELinux in Ubuntu

SELinux is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. SELinux can be enabled in Ubuntu by installing the “selinux” meta-package, which will make the needed changes to the system, and install the Tresys policies for Ubuntu:

sudo apt-get install selinux

After installation, you will be prompted to reboot the system to label and activate SELinux.
When using SELinux, files, including directories and devices, are referred to as objects. Processes, such as a user running a command or the Mozilla® Firefox® application, are referred to as subjects.

The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:

$ ls -Z file1
-rw-rw-r–. user1 group1 unconfined_u:object_r:user_home_t:s0 file1

In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.