SELinux Modes and Policies

In Part 1 of this series, we discussed the basics of host security through traditional security mechanisms (DAC) and newer efficient mechanisms (MAC). We also understood that the right combination of both the Access Control Methods eventually leads to an effective security policy that can be applied to any host.

We learnt that applying security to an operating system as a whole was far more practical and efficient than applying security to each individual application running on the operating system, and that SELinux was one such mechanism. SELinux achieves MAC objectives by applying a ‘Security Context’ to subjects and objects, and by controlling access of subjects to objects based on access control rules.

In Part I, we also learnt to enable SELinux on Red Hat Enterprise Linux. The steps are briefly summarised below:

1. Edit /etc/sysconfig/selinux and make sure it contains the lines:

2.           SELINUX=permissive

SELINUXTYPE=targeted

3. Reboot and check.

In this article, we will explore Permissive and Reboot and check. Enforcing Modes. We will also learn a few SELinux commands that will help in understanding SELinux policies better.