Книга: Fedora™ Unleashed, 2008 edition
Understanding SELinux
Understanding SELinux
Users moving from Windows to Linux often make the mistake of wanting to maximize the security of their system by changing the default Linux settings "to what they ought to be." If that's you, stop right there: Fedora is designed to be secure out of the box, which means you need to change nothing to be secure.
One of the most commonly misunderstood components of the Fedora security ecosystem is SELinux, which was designed by the US government's National Security Agency to ensure that Linux meets its high requirements for technology security. What people misunderstand about SELinux is that it works automatically, out of the box, whether you understand it or not; you don't need to enable it, tweak it, or even know how it works for it to help keep your system secure. SELinux is designed to complement, rather than replace, the existing Linux security permissions system, which means that anything allowed by SELinux but disallowed by your filesystem permissions is denied.
SELinux works by monitoring every system request of every program. For example, each time Apache wants to serve a web page, it has to ask SELinux whether it can read the requested file. Don't worry, the speed hit is minimal; but in terms of security, it means that even if Apache is compromised, it still can't be used to read sensitive files because SELinux stops it.
The only time you are likely to run into SELinux is when a program tries to do something it shouldn't. This might mean you have a security problem, but might also mean your system is trying to do something that the Fedora developers hadn't anticipated. Either way, you'll see a small bubble appear in the top-right corner of your screen, saying AVC denial, click icon to view. When you click the icon, the SELinux troubleshooter app appears, explaining what happened and why it was blocked. The troubleshooter also tells you what to do if the request was legitimate and you want to allow it in the future.
One last word of advice: even if SELinux does get in your way now and then, don't disable it. Several previous Linux security vulnerabilities have been exploited on other distros, but stopped on Fedora thanks to SELinux, which proves it works. Having your filesystem permissions set correctly, keeping SELinux enabled, and using the built-in firewall all helps to keep your system secure — make the most of it!
Related Fedora and Linux Commands
These commands are used to manage security in your Fedora system:
? Ethereal
— GNOME graphical network scanner
? gnome-lokkit
— Fedora's basic graphical firewalling tool for X
? lokkit
— Fedora's basic graphical firewalling tool
? ssh
— The OpenSSH remote login client and preferred replacement for telnet
? system-config-securitylevel
— Fedora's graphical firewall configuration utility
- Understanding Generics
- Understanding the Command Line
- Understanding Set User ID and Set Group ID Permissions
- Understanding init Scripts and the Final Stage of Initialization
- Understanding Point-to-Point Protocol over Ethernet
- Understanding SQL Basics
- Understanding the Changes Made by DHCP
- Understanding Computer Attacks
- Understanding the ext3 File System Structure
- Understanding drive status
- Understanding encryption and the encrypting file system
- Understanding volume basics