In some cases there is no need for any protection. Malicious attacks can “count” on their way to SELinux and, as a result of deliberate actions, penetrate the security loop into the system. Sometimes it is necessary to disable SELinux because it is not supported by the programs you need to work with.
What is SELinux
Some call SELinux a marking system, others call it a forced access control system. In any case, SELinux operates at the kernel level, and its rules and policies take into account those permissions and prohibitions that are defined above the kernel level of the operating system.
The development of SELinux was aimed at improving the security system and blocking malicious activities that are not able to block the usual protection system.
If a file is traditionally relevant, with which everything can be associated, even a port, then the process is relevant in the new security system. A process is formed whenever a program starts or a user logs in. In fact, everything in the operating system can be described as a process.
It is also significant that many processes are hidden and not visible to the administrator, and even more so to the ordinary user. SELinux closes this gap by allowing it to be configured on any process by marking it.
Optional Linux distributions have SELinux enabled. For example, a pair of CentOS and SELinux is one whole. You can disable the last component immediately after installing the system or, if necessary, at any time.
When setting up a clean operating system, for example, for hosting with exotic features, it is advisable to disable all critical system components and additional tools (system components). After the necessary software is installed and verified, you can turn everything back on step by step.
How to disable SELinux
You can enable SELinux in the desired mode and configure the necessary access policies at any time. After installing a clean system, you can immediately disable SELinux by changing the parameter to disabled.
The specified parameter is located in the config file, at: /etc/selinux.
After making changes, you must restart your computer. You can completely remove SELinux from the system, if necessary.
Features and capabilities of SELinux
Security issues, intrusion protection, file blocking to protect against theft, standard event logs and employee activities (in the broadest sense) - full access control. This is always true.
Regular defense systemdid her job successfully. However, not always and not all users follow the logic of work that the operating system development team assumes. Gaps are created through which an attacker can penetrate.
SELinux is the answer to some of the usual security holes. By declaring a "process" security element and offering a system of access policies, SELinux raises the level of security, but there is no guarantee that changing the security object from a file to a process is a long-term idea.
SELinux features are configurable on a case-by-case basis. A limited group of employees of the company knows about them. Here again the human factor appears.
It is absolutely not necessary to diligently create a virus in order to harm the employer, you can simply use a securely configured security system. For example, an offended employee asks the administrator to temporarily stop SELinux, because the program that the director of the company has purchased does not want to become. If the administrator does not understand such banal ideas of penetration and follows the lead of the employee, the whole security system and SELinux, including is worthless.
About the most reliable defenses
Great idea to set up a web server on UBUNTU 18.04 or CentOS 7. It's smart to enable and configure SELinux. An excellent addition would be to send company system administrators to prestigious courses on the security of corporate systems and the psychology of company personnel.
But the best barrier for anyoneattacker - ignorance or outdated component.
Excellent knowledge is not only the prerogative of a good administrator. Good knowledge is also sought by those who care and need to penetrate the security perimeter.
Using something that no one will ever guess, you can achieve the desired result. You can use SELinux as a bait, which will be difficult (for an attacker) to disable, but possible. In fact, the protection will be based on a completely different functionality.