SELinux

Security-Enhanced Linux (SELinux) is a security enhancement to Linux that provides a mechanism for enforcing the security of the system. Under SELinux, programs are run inside a sandbox and follow the principle of least privilege, in which programs are limited to set of necessary operations.

SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication.

With SELinux an administrator can differentiate a user from the applications a user runs.

Features include:

• Uses multiple security models
• Clean separation of policy from enforcement
• Type enforcement to enforce mandatory access control
• Well-defined policy interfaces
• Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
• Support for on-the-fly sandboxing of applications, including X applications
• Independent of specific policies and policy languages
• Independent of specific security label formats and contents
• Individual labels and controls for kernel objects and services
• Caching of access decisions for efficiency
• Support for policy changes
• Support for MLS/MCS translations
• Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
• Very flexible policy
• Label substitution
• Virtual machine labeling
• Per-service seuser support
• Persistent dontaudit flag
• Controls over process initialization and inheritance and program execution
• Controls over file systems, directories, files, and open file descriptors
• Controls over sockets, messages, and network interfaces
• Controls over use of "capabilities"

Last Updated Tuesday, April 24 2012 @ 02:37 PM EDT