Free Essay

Selinux

In: Computers and Technology

Submitted By AtomicZ
Words 283
Pages 2
Operating system security is a major concern in modern times, with so many people owning computers and majority of devices being connected to each other it is easy to be skeptical about the information that is saved onto devices. There are some security technologies that are available for certain Operating Systems such as SELinux, chroot jail, and iptables.
SELinux stands for security enhanced Linux, it was developed by the National Information Assurance Research Laboratory of the NSA. They believe that creating a secure operating system is still a problem, but the NSA believes that a secure operating system can be accomplished through mandatory access control. Mandatory access control allows the administrator to manage access controls, which allows the administrator to define usage and access policy. The access policy indicates the access users have to files and programs. By using an access policy it it easier to limit the resources users have so that a user does not have access to information and programs they shouldn’t, thus bringing down the chances of a security breach.
Security enhanced linux is not easily bypassed, by controlling the access users get it limits the amount of damage an attacker can do. Even if an attacker manages to get some limited control most of their commands will fall through, at the same time as SELinux logs everything the attacker is attempting to do making it much easier to spot them.
SELinux is designed to stop many threats and make the operating system overall more secure. It prevents processes from reading or tampering with data and programs, bypassing application security mechanisms and executing untrustworthy programs. SELinux also helps to confine potential damage done by malicious or flawed programs.…...

Similar Documents

Free Essay

Computer Analysis

...eparis@parisplace.org jmorris@redhat.com The SELinux User Guide assists users and administrators in managing and using Security-Enhanced Linux®. Preface v 1. Document Conventions ................................................................................................... v 1.1. Typographic Conventions ...................................................................................... v 1.2. Pull-quote Conventions ........................................................................................ vii 1.3. Notes and Warnings ............................................................................................ vii 2. We Need Feedback! ..................................................................................................... viii 1. Trademark Information 1 1.1. Source Code ................................................................................................................ 1 2. Introduction 2.1. Benefits of running SELinux .......................................................................................... 2.2. Examples ..................................................................................................................... 2.3. SELinux Architecture .................................................................................................... 2.4. SELinux on Other Operating Systems ........................................................................... 3 4 5 6 6 3. SELinux Contexts 7 3.1. Domain......

Words: 26838 - Pages: 108

Free Essay

Security Enhanced Linux (Selinux), Chroot Jail, and Iptables

...Three of the most important types of Linux security technologies are Security Enhanced Linux (SELinux), chroot jail, and iptables. These security measures aide in the subversion of theft and malicious activity. We will discuss these items in depth to address who created them and for what reason. Along with how these technologies changed the operating system to enforce security, and the types of threats that these security systems are design to eliminate. Security Enhanced Linux was released in December of 2000 from the National Security Agency (NSA), under the GNU general public license. SELinux is not a Linux distribution; it is a set of kernel modifications and tools that can be added to a variety of Linux distributions. SELinux is currently a part of Fedora Core, and it is supported by Red Hat. Incarnations of SELinux packages are also available for Debian, SuSe, and Gentoo. Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible Mandatory Access Control (MAC). MAC provides an enhanced process to enforce the separation of information based on confidentiality and integrity requirements, as well as the confinement of damage that can be caused by malicious or flawed applications. The previous security structure, discretionary access control (DAC), allowed threats of tampering and avoidance of security mechanisms, because DAC gives the user ownership of files and allows users the ability to make policy......

Words: 848 - Pages: 4

Premium Essay

320 Linux Admin

...SELinux SELinux was developed by the United States National Security Agency. It was then released for open source development on December 22, 2000 and was merged into the main Linux kernel version 2.6.0-test3 on August 8, 2003. SELinux was designed to change the access control protocols for Linux users, to make them more secure and computer resources and applications less likely to be exploited. Prior to the development of SELinux, systems used a form of DAC, Discretionary Access Control. In this set up, placed all clients into three categories: user, group, and other. If an application or file were "exploited," it would allow the current user to access the file(s) or application at the highest permission allow, the owner of the file, or user. SELinux introduced two new ways to allow permissions to be determined by the client computer. The first of these is MAC, Mandatory Access Control. This new protocol introduce the principle of least privilege, which simply allows programs to use what resources they need to do the task at hand, and nothing else. An example from an article I found online: "if you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system." The second protocol is RBAC, Role-based Access Control. In this protocol, "permissions are provided based on roles that are granted by the security system." From what I read of......

Words: 792 - Pages: 4

Premium Essay

Linux Research

...would be SELinux, there are many contributors to SELinux but it all really comes back to four major organizations that are responsible for the initial public release of SELinux. These organizations include The National Security Agency, Network Associates Laboratories, The MITRE Corporation, and finally the Secure Computing Corporation. From my research I have found that it all really started with the NSA when they developed the LSM-based SELinux and made it part of Linux 2.6, and this has also led to the development of similar controls in the X Window System (XACE/XSELinux) and for Xen (XSM/Flask). Then NAI Labs implemented several additional kernel mandatory access controls, developed the example security policy configuration and also contributed to the development of the Linux Security Modules kernel patch. The MITRE Corporation helped several common Linux utilities because SELinux-aware and developed application security policies. The SCC developed a preliminary security policy configuration for the system that was used as a starting point for NAI Labs’ configuration, and also developed several new or modified utilities. SELinux controls access between applications and resources, and it does this by using mandatory security policy SELinux enforces the security goals of the system regardless of whether applications misbehave or users act carelessly. You can check of SELinux is enabled in Red Hat, or Fedora by using the getenforce command, if it returns enforcing SELinux......

Words: 541 - Pages: 3

Free Essay

It302 4.1 Research Assignment

...programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. Was developed by the NSA in December of 2000. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications. SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC). SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux can help protect you from bugs in applications. Most people treat applications as user......

Words: 1350 - Pages: 6

Premium Essay

Assignment 2 Linux Security

...that are always evolving in security to protect against all kinds of hackers or othe types of attacks . SELinux, Chroot Jail, IPTables, Mandatory Access Control and Discrestionary Access Control, just to name a few. SELinux is an access control implementation for the Linux kernel. Take for instants that you are the administrator and you define rules in user space and if the Linux kernel has been added with SELinux support, then those rules will be followed by the kernel. SELinux is a NSA Security-Enhanced Linux, in which the mandatory access control is flexible. The structure of SELinux supports against all kinds of mandatory access control policies. Some of which are Role-Based Access Control and Multi-Level Security. It was designed by NSA for the purpose of protecting a server against malicious daemons, by telling the daemons what they can and can’t do. This type of technology was created by Secure Computing Corporation, but was supported by the U.S. National Security Agency. In 1992, the thought for a more intense security system was needed and a project called Distributed Trusted Match was created. Some good solutions evolved from this, some of which were a part of the Fluke operating system. Which then became the Flux and finally led to the creation of the Flask architecture. Eventually it was combined with the Linux kernel, which created another project called SELinux. Since NSA realized that the Linux operation system did not have any security that would enforce......

Words: 873 - Pages: 4

Free Essay

Linux Security

...APPLY HARDENED SECURITY FOR CONTROLLING ACCESS 1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the host.allow file has the rule ALL:ALL. Will TCPWrappers allow hackers.com access? ALL:ALL, TCPWrappers will not allow hackers.com access. 2. How do you enable SELinux? Configure /etc/selinux/config file from permissive to enforcing to enable SELinux. 3. What are three modes of SELinux? Explain their basic functionality. SELinux modes are enforcing, permissive, and disabled. Enforcing is when SELinux security policy is enforced. Permissive is when SELinux prints warnings instead of enforcing, and disabled is when SELinux is fully disabled. 4. Consider the following firewall rule, and describe what this permits or denies. 5. What command would you use to allow all the traffic from the loopback? -A INPUT –I lo –j ACCEPT 6. What command would you use to view the network port configuration for the iptables? Iptables –L 7. If a service is to allow in one place and to deny in another, what is the outcome? The outcome would be to allow because access rules in hosts.allow are applied first and take precedence over rules specified in hosts.deny. 8. Is the order of the rules important? If you deny something within the IP network layer, but permit something within the TCP transport layer that uses the IP network layer that you just denied, will your TCP traffic be permitted? The order of the rules are......

Words: 291 - Pages: 2

Free Essay

Lab 6

...1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the hosts.allow file has the rule ALL: ALL. Will TCPWrappers allow hackers.com access? Yes 2. How do you enable SELinux? In the /etc/selinux/config check to see of the SELinux is enabled in the status. If in the disabled status, enter command rpm -qa | grep selinux 3. What are three modes of SELinux? Explain their basic functionality. Enforcing: SELinux policy is enforced/SELinux denies access based on policy rules Permissive: SELinux policy is not enforced/SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Disabled: SELinux is disabled/Only DAC (Discretionary Access Control) rules are used. 4. Consider the following firewall rule, and describe what this permits or denies. Allow http (web) traffic through SSL using SSH & allow ICMP pings, while denying all other traffic. 5. What command would you use to allow all the traffic from the loopback? iptables -A INPUT -i lo -m ACCEPT iptables -A OUTPUT -o lo -m ACCEPT 6. What command would you use to view the network port configuration for the iptables? /etc/network/interfaces 7. If a service is to allow in one place and to deny in another, what is the outcome? Allow, because deny is the file pulled first and then the allow file, so the last one pulled is to allow. 8. Is the order of the rules important? If you deny something within the IP......

Words: 355 - Pages: 2

Free Essay

Linux-Based Web Application Infrastructure Plan

...provides can also be used to deny specific IP addresses, users, or domains. Any known malicious domains will be added to /etc/hosts.deny. Furthermore, the /etc/hosts.allow file should be configured with exceptions to allowed subnets by specific IP address by using the EXCEPT command. Layer Three: SELinux SELinux only supplies a security layer if it is turned on. To enable SELinux (after the initial server configuration, since SELinux could causes problems with installation). To turn on SELinux, the /etc/selinux/config file must be accessed and SELinux must be set to Enforced. Once SELinux is turned on, it can be configured just as other security measures. Best practices state that initial configuration should begin with a denial of all actions. From that point users, applications, and services can be allowed to function within desired parameters by being allowed access to necessary configuration files and program libraries. For the web server, the web administrator will be given specific access to configuration files which are necessary and users placed in the customer database will be given access to their specific data. All other access should be restricted by SELinux. Conclusion: With these three layers in place, the web server for First World Bank Savings and Loan will have maximum protection against unauthorized users. In case of a breach in one layer, another layer should act as a stop-gap. An example of this would be if someone found a way......

Words: 1306 - Pages: 6

Free Essay

It-302-Linux System Administration

...accounts which lead to credit card theft and identity theft. This paper will explain a few of Unix/Linux’s security operations such as SELinux, Chroot, and IPtables. Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls. These functions were run through the Linux Security Modules in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD. SELinux was developed by the United States National Security Agency, it was released to the open source development community under the GNU GPL on December 22, 2000. SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain. This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context, but SELinux may deny the transition if it is not approved by the policy configuration. The security of an unmodified Linux system depends on......

Words: 907 - Pages: 4

Premium Essay

Selinux

...In This paper we will talk about SELinux what it is, what it does, and who uses such a product. What is SELinux? In short, Security-Enhanced Linux or SELinux is a Linux feature that provides a way for supporting access control security policies, through the use of Linux Security Module or LSM in the Linux kernel. Its architecture works in a way to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. So, what does it do? Here is list I found on the internet for all techs out there who love this technical stuff. * Clean separation of policy from enforcement * Well-defined policy interfaces * Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context) * Independent of specific policies and policy languages * Independent of specific security label formats and contents * Individual labels and controls for kernel objects and services * Support for policy changes * Separate measures for protecting system integrity (domain-type) and data confidential multileveled security * Flexible policy * Controls over process initialization and inheritance and program execution * Controls over file systems, directories, files, and open file descriptors * Controls over sockets, messages, and network interfaces * Controls over use of "capabilities" * Cached......

Words: 656 - Pages: 3

Premium Essay

Linux Ii Research Assignment - Linux Security Technologies

...based on the security characteristics of the HTTP client. This can be due to SSL bit length, version information, originating IP address or domain, etc. Systems supporting flexible security models can be SELinux, Trusted Solaris, TrustedBSD, etc. DAC checks the validity of the credentials given by the user. MAC validate aspects which are out of the hands of the user (Coar, 2000). If there is no DAC list on an object, full access is granted to any user (Microsoft, 2012). SELinux SELinux has three states of operation. These states are enforcing, permissive, and disabled. SELinux was developed by the U.S. National Security Agency (NSA) and implements MAC in a Linux kernel (Sobell, 2011). Enforcing is the default state for Linux. This is enforcing the security policies. No programs or users are able to do anything not permitted by the security policies. System is somewhat degraded in performance in this state. Permissibe mode is the diagnostic state. SELinux sends warning messages to log file and does not enforce the security policy. This is useful for debugging and troubleshooting purposes. Permissive mode somewhat degrades the system in performance as well. In disabled mode, SELinux is completely disabled. No security policy is enforced due to no policy being loaded. All SELinux hooks are disengaged from the kernel and the pseudo file system is unregistered (CentOS , 2006). Server Security To secure a server you may use a TCP Wrapper or set up a chroot jail (Sobell,......

Words: 875 - Pages: 4

Premium Essay

Linux Security Technology

... | | 1. SELinux SELinux, an implementation of Mandatory Access Control (MAC) in the Linux kernel, adds the ability to administratively define policies on all subjects (processes) and objects (devices, files, and signaled processes). This mechanism is in the Linux kernel, checking for allowed operations after standard Linux Discretionary Access Controls DAC are checked. Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of Kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA), It has been integrated into the mainline Linux kernel since version 2.6. NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. Security-enhanced Linux (SELinux) is a reference implementation of the Flask security......

Words: 1860 - Pages: 8

Free Essay

Security in Linux

...attacks but more as a means of preventing inadvertent system altering mistakes made by the casual user. SELinux or Security Enhanced Linux is an implementation of flexible mandatory access controls that was first researched and implemented into the Linux kernel by researchers at the National Security Agency and the Secure Computing Corporation in 1992 and 1993. (Flux Advanced Security Kernel, 2000) As partially stated above, SELinux is the implementation of mandatory access controls in the Linux whereas standard Linux uses discretionary access controls. In a system using discretionary access user identity and user ownership dictates file and resource decisions. If a user running root privileges starts a process that has malicious intent then the process can in theory take control of any file or system resource and change it to better suit the malicious intent of the process or the creator of the process. In a system running SELinux the mandatory access controls can be administratively designed so as to very closely monitor processes and software with malicious intent. Security decisions in SELinux are not bases only on the user identity alone but also on what security information is available at the time that the process begins. Using SELinux also helps to provide control not only on programs and processes but on users and devices as well. The mandatory access controls in SELinux are only as good or safe as the administrator sets them up to be, it is wise to have well......

Words: 965 - Pages: 4

Premium Essay

Linux Security Technologies

...situation with security technologies such as SELinux, chroot jail, iptables, and virtual private networks (VPN’s) to name a few. The basics of Linux security start with Discretionary Access Control, which is based by users and groups. The process starts with a user, who has access to anything that any other user can have access to. At first, it may seem great to be able to have that access, but the security in it is not so great. The US National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. (National Security Agency Central Security Service, 2009) Other organizations behind SELinux include the Network Associate Laboratories (NAI) labs which implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM. The MITRE Corporation which enhanced several utilities to be SELinux-aware, and developed application security policies. And the Secure Computing Corporation (SCC), which developed a preliminary security policy configuration for the system that was used as a starting point for NAI Labs configuration. SELinux changes the operating system by which you can run it in one of three settings; Enforcing, Permissive, and Disabled. Enforcing in which it will use the the targeted SELinux policy on your Fedora Core......

Words: 1207 - Pages: 5

Dragon Ball – Bảy Viên Ngọc Rồng chap 271 | Paciente cero. | Wedding & Formal Occasion