Using SELinux the right way… Leave it turned on!

Yesterday I was having a chat with the lads in the office about properly using SELinux. I realised later that I haven’t written down a short quick start guide on the topic, so here we go.

There seems to be an undesirable corporate standard in many organisations these days to simply disable SELinux because “its too complicated”. This article is designed to give you the information you need to not just challenge that stereotype, but also to change things for the better.

If you are unfamiliar with SELinux, here is a general background from Wikipedia.

“Security-Enhanced Linux (SELinux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.[1][2] The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.

It has been integrated into the mainline Linux kernel since version 2.6, on 8 August 2003.”          —

Continue reading “Using SELinux the right way… Leave it turned on!” »