This post is part of a series on my top 10 tips for securing Linux home installations. You can find the other posts here.
Enable Mandatory Access Control (MAC)
Traditionally, Linux and Unix operating systems have implemented simplistic access controls (a Discretionary Access Control (DAC) approach). These are relatively easy to exploit, and have limited flexibility in securing access to files, processes and resources. A MAC framework offers finer-grained control over users and processes on a system.
On Fedora, MAC is implemented via SELinux. It is enabled by default and set to enforcing mode on a standard Fedora system install. For most purposes you won’t need to tweak the default settings.
If you are running a Ubuntu variant, the MAC implementation would probably be AppArmor, though SELinux and AppArmor aren’t exactly equivalent.
What exactly is SELinux?
It’s a mechanism to control access within a Linux system to files, processes, applications, and ports. Access to these entities can be enforced or denied by SELinux security policies.
Check if SELinux is enabled and in enforcing mode
On Fedora you can check if SELinux is enabled using one of the following:
To modify the SELinux mode to enforcing, you can run either:
sudo setenforce Enforcing
sudo setenforce 1
To modify the SELinux mode to permissive you can run either:
sudo setenforce Permissive
sudo setenforce 0
Find out more
- Red Hat has an excellent overview of SELinux and a comparison of DAC and MAC.
- Ubuntu provides documentation on AppArmor.
- You can read more about the Linux Security Modules project which provides the framework and capability for MAC implementations in the Linux kernel.
A Soapbox Moment
I wish I had a dollar for every time I’ve seen a system with SELinux permanently disabled or permanently placed in permissive mode. This defeats its purpose and robs the system of SELinux’s power! This article from TechRepublic explains why running SELinux in enforcing mode is important.
Note that placing SELinux in permissive mode temporarily is useful when trying to determine if a problem is SELinux-related.
Stay tuned for a future post on SELinux, including how to monitor audit logs, create custom policies and configure booleans.
Recap of my top 10 tips for securing Linux@home
That’s it! I’ll have a bit more to say tomorrow on Tip # 3 – use sudo. Meanwhile, let me know what you think of this tip by leaving a comment below.
A glossary of terms is available here.
Once again, ensure you’re familiar with the disclaimer here!