Join Scott Simpson for an in-depth discussion in this video Introducing SELinux, part of Up and Running with CentOS Linux.
A whole lot of people's first interaction with SELinux, starts out with head scratching and frustration, and ends with shutting it off completely. But SELinux is an important part of the security of your server, and it's worth taking a little time to understand. SELinux, or Security Enhanced Linux, was originally developed by the National Security Agency to provide access control security policies for Linux installations. Unlike the standard security scheme of users, groups, and permissions, SELinux tags every file and resource on the system to add a more granular security system with lots of advantages.
This tagging is based on the idea that when a process in Linux runs, it inherits the rights and privileges of the user or process that started it up. For most things this makes a lot of sense. If I open a text editor, the text editor has access to the same files I have access to. It can write to my home folder and it can edit files that I've created. But this can get a little more tricky with system processes like a web server or a file server. Most of these file servers get started by the root user, or by the system acting as the root user. Because they need to access resources like network ports, system files or devices.
What happens in the case where someone uploads malicious software that hijacks these system processes? Or the programs themselves get replaced with maliciously crafted versions? You can envision a scenario where a malicious agent replaces the executable for the web server. Suddenly that compromised version of the web server could publish your whole user folder online. SELinux strives to prevent this using the granular tagging system I mentioned earlier. Setting what it calls security contexts on files and resources.
With SELinux, you can tag files as being within the context for the web server process. And regardless of the regular permissions of a file, if it's not tagged with a web service context, the web server can't access it. In this chapter I'll show you how SELinux works at a high level. And then in later movies, we'll see SELinux in action. And see how to correctly change the context of processes and files, so we can benefit from the protection that SELinux affords us. This type of security topic could be a whole course in itself.
So I won't go into a lot of depth here. And for most installations, you won't need to go into any kind of depth either. SELinux mostly stays out of the way. The only time you'll run up against it in the normal course of administering your server, is when there's a risk of security problems.
- What is CentOS?
- Installing CentOS
- Configuring networking with DHCP or a static IP
- Connecting remotely
- Working with SELinux
- Setting up a firewall
- Setting up a web server
- Connecting to shared folders
- Launching the graphical user interface (GUI)
Skill Level Beginner
Q: After creating an installer with unetbootin, my system cannot start up from it.
A: Unetbootin is no longer a recommended tool for creating a CentOS installer. Instead, try Rufus (https://rufus.akeo.ie/)