In some cases, there is no need for any protection. Malicious attacks can “expect” to encounter exactly SELinux in their path and, as a result of deliberate actions, penetrate the security circuit into the system. Sometimes it is necessary to disable SELinux, because it is not supported by those programs that are necessary in the work.
What is SELinux
Some call SELinux a marking system, others call a forced access control system. In any case, SELinux operates at the kernel level, and its rules and policies take into account those permissions and prohibitions that are defined above the kernel level of the operating system.
SELinux development was aimed at improving the security system and blocking malicious actions that a conventional protection system is not able to close.
If a file is traditionally relevant with which everything can be associated, even a port, then the process is relevant in the new security system. The process is always formed when the program starts or the user enters. In fact, everything in the operating system can be described as a process.
It is also significant that many processes are hidden and not visible to the administrator, and especially to the average user. SELinux closes this gap, allowing you to tune it to any process, labeling it.
Optional on Linux distributions SELinux is included. For example, a single whole is a pair of CentOS and SELinux. You can disable the last component immediately after installing the system or, if necessary, at any time.
When setting up a clean operating system, for example, for hosting with exotic capabilities, it is advisable to disable all critical system components and additional tools (system components). After the necessary software has been installed and verified, you can turn everything back on step by step.
How to disable SELinux
You can enable SELinux in the required mode and configure the necessary access policies at any time. After installing a clean system, SELinux can be disabled immediately by changing the setting to disabled.
The specified parameter is located in the config file, at the address: / etc / selinux.
After making the changes, you must restart the computer. You can completely remove SELinux from the system, if necessary.
Features and capabilities of SELinux
Security issues, intrusion protection, file locking to protect against theft, standard event and employee logs (in the broad sense) - full access control. This is always relevant.
The usual security system did its job successfully. However, far from always and not all users follow the logic of work, which involves a team of developers of the operating system. Gaps are created through which an attacker can penetrate.
SELinux is the answer to some holes in a conventional security system. By declaring a “process” as a security element and proposing a system of access policies, SELinux raises the level of security, but there is no guarantee that changing the protection object from a file to a process is a long-term idea.
SELinux features are customized on a case-by-case basis. A limited team of company employees knows about them. Here the human factor reappears.
It is absolutely not necessary to diligently make the virus in order to harm the employer, you can simply use a reliably configured security system. For example, an offended employee asks the administrator to temporarily stop SELinux, because the program that the director of the company acquired does not want to become. If the administrator does not understand such banal ideas of penetration and goes about the employee’s case, the entire security system and SELinux, including, are worthless.
About the most reliable defenses
It’s a great idea to configure your web server on UBUNTU 18.04 or on CentOS 7. It’s wise to enable and configure SELinux. An excellent addition would be to send the company's system administrators to prestigious courses on the security of corporate systems and the psychology of company personnel.
But the best barrier for any attacker is ignorance or an outdated component.
Excellent knowledge is not only the prerogative of a good administrator. Good knowledge seeks to have and one who is important and needs to penetrate the perimeter of security.
Using something that no one will ever guess about, you can achieve the desired result. As a bait, you can use SELinux, which will be difficult to disable (for an attacker), but you can. In fact, protection will be based on completely different functionality.