dotFiles

A visual introduction to SELinux

While doing some reading at work, I came across a link to Your visual how-to guide for SELinux policy enforcement and thought it was good enough to share. As you can guess, I'm a fan of SELinux. In fact, I consider it to be akin to this century's version of the firewall.

If you are not familiar with SELinux at all, I highly recommend that you take a few minutes and read the visual how-to. Despite being a little cheesy, it does put a little humor in to an otherwise dry topic. - For now, suffice it to say that SELinux acts like an in kernel firewall in that it filters what different processes can access and what level of access they have. You might be thinking that we already have both (classic) POSIX user / group / other file permissions on things, but remember I said processes. SELinux can keep one process from interacting with another process. Further, SELinux can be used to help ensure that when WordPress is compromised, that the code that is uploaded to the server won't be executed by PHP because it's not labeled properly to be executed. Thus, SELinux can help mitigate an attack. I say mitigate because it can't (easily) prevent the attack that exploits a vulnerability in WordPress, but it can help limit what it can do after being exploited.

So today I'm telling you to stop disabling SELinux (for what ever reason) like we were telling you to stop disabling (host based) firewalls a decade ago. Hopefully in five years SELinux will be left on like (host based) firewalls are now left on.