SELinux

Kerry Thompson

Security Enhanced Linux (SELinux) is an extension to the standard Linux kernel that has been designed to enforce strict access controls. SELinux lets you confine processes to the minimum amount of privilege they require. In this article, I will cover the ideas behind SELinux and show how to install, configure, and manage an SELinux system. As an example of configuring a security policy, I’ll show how to configure a BIND-based DNS server with an example security policy that restricts the DNS server to accessing only those files it requires for operation.

Introduction and History

SELinux was released late in 2000 by the U.S. National Security Agency (NSA) and was developed with cooperation from such security heavyweights as NAI Labs, Secure Computing Corporation, and MITRE Corporation. The NSA Information Assurance Research Office continues to guide SELinux development; it is this office that is responsible for carrying out research and development of solutions to achieve a high level of information security critical to government and industry.

Following the initial release of SELinux, the Linux community soon realized that the standard kernel needed to be extended to provide more flexibility for security add-ons. From this came the Linux Security Module (LSM) version of the Linux kernel, which provides for the modular addition of security extensions to the standard Linux kernel. SELinux was then changed to be built as an LSM module, and I will cover the LSM implementation in this article.

The full source code for SELinux was released to the open source community with the aim of creating a viable, secure operating system. With the assistance of open source developers worldwide, SELinux is quickly becoming accepted as a mainstream operating system that can provide a high level of security through mandatory access control.<>