در ادامه مباحث آموزشی مربوط به لینوکس در این مقاله آموزشی به آشنایی با Selinux می پردازیم که می تواند برای امنیت سرور شما مفید واقع شود.
Security Enhanced Linux (SELinux) is a set of kernel modifications and user-space tools that have been present in CentOS for quite a long time.
It is a kind of mechanism that supports Mandatory Access Control security policies, which were initially developed by the US National Security Agency and later released in the public domain to protect computer systems from malicious intrusion and tampering.
Not many System Administrators use SELinux. Commonly, people are reluctant to learn about SELinux and just disable it directly. However, a properly configured SELinux system can reduce the security risks to a great extent.
SELinux implements Mandatory Access Control (MAC), which works on top of already available Discretionary Access Control (DAC) on CentOS 7. DAC is the traditional security model that we have on Linux systems where we have three entities: User, Group, and Others who can have a combination of read, write, and execute permission for files and directories.
By default, if a user creates any file in his home directory, the user and his group will have the read access and the user will have write access to the file but the other entity might also have read access to it. The user who owns the file can change this access policy and grant or revoke access as well as ownership of the file.
This might leave critical files exposed to accounts that don’t need access to these files and thus pose as a security threat to the running system. It confines every process to its own domain and makes sure that it can interact only with a defined type of files and processes and thus protect the system from a hacker hijacking a script or process and gaining system-wide control through it. To check what SELinux packages are installed on your system, run the following command: rpm -qa | grep selinux The command will display the following output: