{"id":14677,"date":"2020-09-07T07:00:13","date_gmt":"2020-09-07T05:00:13","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/selinux-for-beginners\/"},"modified":"2020-09-07T07:00:13","modified_gmt":"2020-09-07T05:00:13","slug":"selinux-for-beginners","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/selinux-for-beginners\/","title":{"rendered":"SELinux for beginners"},"content":{"rendered":"

Do you know the following situation: You are following a step by step tutorial on the web and on your environment does not work as expected because of SELinux. Your looking on search engines command how you can disable the SELinux\u2026 Does that sound familiar?<\/p>\n

On this Blog I will explain what SELinux are, where and how to use is. Let\u2019s start!<\/p>\n

What is SELinux and why should I not disable it?<\/strong><\/p>\n

SE stands for “S<\/strong>ecurity E<\/strong>nhanced”, which provides administrators strict control over all processes on their system. Processes that are not considered necessary are blocked. Let\u2019s say you have PHP application which is vulnerable by SQL Injection. Now if someone\u2019s find your vulnerability, this person will try to get important files from your server such as the \u2018etc\/passwd\u2019 from the URL. An example SQL Injection attack will look like this: https:\/\/example.com\/file=’..\/..\/..\/..\/etc\/passwd’<\/p>\n

As you know the passwd file includes all users which has access to your server. The attacker will have more information\u2019s to exploit your environment. By activating SELinux, this could not be happened. SELinux will block this because the apache service is not allowed by default to get files from the root folders. It is only allowed read data from \u2018\/var\/www\/html\u2019 and will return the status 403 Forbidden. It makes sense to restrict access rights even if you actually trust the programs. If the application is hijacked by a third party, much less damage can occur. If programs infected by malware can access all processes and files on a system, they will also take advantage of this. SELinux restricts access and thus also the damage radius.<\/p>\n

Summarized<\/strong>: By using SELinux you can define access controls for processes, files and applications. In other words, SELinux is like a watchdog which is watching changes and accesses for every file of your system. Since 2003 its integrated into the Linux upstream kernel.<\/p>\n

How works SELinux?<\/strong><\/p>\n

SELinux works like a Firewall. By default, everything will be blocked. Once you need to allow something, you need to go ahead and configure it. If a service, program, or user then attempts to access or modify a file or resource that is not required for its function, access is denied, and the action is logged.<\/p>\n

Linux uses Discretionary Access Control (DAC) as access control. Users or applications that have the appropriate rights then usually have unrestricted access to the respective files and processes of the operating system. SELinux uses MAC (Mandatory Access Control) as access control. Administrators can precisely define security policies with MAC to define additional attributes under which conditions and in which contexts a rights holder can access certain processes or files of the operating system. If these conditions not match, access will be denied.<\/p>\n

Before we go deeper, we should know that SELinux has three basic modes<\/strong> of operation. By default, it is Enforcing<\/strong> mode:<\/p>\n