SELinux

From LinuxReviews
Jump to navigationJump to search

SELinux is a Linux security framework popularized by IBM's RedHat in distributions like RHEL and Fedora. It prevents system daemon from writing to files outside their context, writing to sockets, using network services and other things they should or should not do.

From a novice perspective it's a pain to deal with. From a security perspective and a power-user perspective it's great.

As a very basic example: If you setup Apache on Fedora you can write logs to /var/log/httpd but if you set it to log to /var/log/www/ it simply won't start because that's not allowed within the default SELinux configuration.

As another simple example: Setting up the Music Player Daemon is strait-forward on non-SELinux distributions. Just tell it that a music folder is anywhere and it works. On a SELinux distribution the audio files in the music directory need to have the public_content_rw_t context on the files or set mpd to be permissive[1]. It is not like you can't use mpd on a SELinux distribution, you absolutely can. It's just one of any things which require a few more steps compared to other distributions.

SELinux really is very useful once you learn how to use it and the security it provides. It can also be seen as a huge pain. Do consider that configuring your web server on a SELinux setup is all painful with no benefit until that WordPress worm uses some old exploitable theme you got to install the malware and at that point you'll be very happy that you spent time hardening httpd. Security measures do have a benefit when you need them.

This page is not (yet) a HOWTO and isn't meant to be; it's just meant to tell you what it is.

notes[edit]