Getting started with SE Linux

What is SE Linux

Simply SE Linux is  a security layer that lies in between user and Linux kernel.For an example let's say that,  you are going to access web site that runs on a SE Linux enabled server. First you need a web browser then you type the URL on the address bar, then it's search the DNS, .... and  finally it will find the server ip. Once your request comes to the server it start some process for you with a unique id now you have some kind of connection to the server. From this step onward the server deal with your request. Without SE Linux the process runs on DAC  (Discretionary Access Control ) mode. This means the user have the normal Linux file permission. In other words the user (who  sent the request) log in as apache (default user for apache server ). This is not too bad because we can restrict user from editing files in server, but in most case it is not possible. Because we to write logs, upload files and many more to write to server, so in typical web server user apache have full permission to server root. What if some one upload a script to your server :-/ . But with SE Linux we can over come these kind of risks. 
In SE Linux your request doesn't go through the server as in normal Linux. First it checks the DAC then it pass the request to MAC ( Mandatory Access Control ) layer. On the MAC layer it creates a context according to predefined policies. Now we have the full control over request (process). 

SELinux Context

SELinux labels all of its subjects and objects with a context. SELinux rules may be written that determine which context an object receives at creation. Additionally, rules may be written that determine whichoperations a user may perform on an object given the context of the subject and the context of the object. The RBAC features of SELinux determine which contexts a given subject may acquire.

The SELinux context consists of four components:
  • SELinux User: assigned to a Linux user upon login; bounds the user's set of available roles; never changes during a user's session; useful for auditing.
  • Role: bounds a set of possible types; determines which role transitions may occur.
  • Type: used to perform access check based upon the subject type, object type, object class, and operation being performed; used to write explicit access control rules.
  • MLS/MCS Level Range: level consists of a sensitivity and group of categories; used to perform MLS access control checks.
The following diagram shows the structure of a typical SELinux context and gives further information about the characteristics of each component.


  1. Red Hat Enterprise Linux (RHEL) version 4 and all future releases.
  2. Corresponding versions of CentOS and Scientific Linux
  3. Also supports to Fedora, Debian, Ubuntu 


Post a Comment