Why do we need SELinux?

security linux selinux

I could not get much idea where the SELinux has been used and what it saves from attacker. I have gone through SELinux web site and read the basic but still not getting clue about SELinux. For the Linux system which provides the SSH shell, Apache front end, role based web application, MySQL DB, memcached, almost all the systems are password protected, then why do we need SELinux?


Solution 1:

You may view SELinux as a system-call firewall: A policy for each application specifies what's reasonable for the application to do: The name server may listen on port 53, work with some zone files in a particular directory, send out syslog, ..., but it makes no sense for it to try to work with files in /home, for example. SELinux' enforcement of such a policy means that it will be much harder for a weakness in the name server to spread to other parts of the system.

I find that SELinux provides real security value. But while it has certainly become easier to work with over the years, it is - unfortunately - still a rather complex system. The good thing is that you may easily turn it off for some services, without having to turn it off for the whole system. Too many (junior?) sysadmins turn of SELinux across the board, as soon as they run into the slightest problem with one service - instead of selectively turning it off for the service causing trouble.

Solution 2:

Not all security issues can be predicted in advance. If an attacker manages to exploit a weakness in e.g. a third-party httpd module then they have access to the same files that the user httpd is running as does. SELinux further restricts this by limiting them to actions and file contexts that their SELinux domain has access to.

Solution 3:

These previous questions might be informative:

SELinux in the Real World

and

Real life SELinux security example?

and

Reasons to disable / enable SELinux

Solution 4:

I think the term Mandatory Access Control sums it up quite nicely. SELinux gives you a more secure system through a more secure kernel, in large part due to a MAC implementation.

Related

How do I tell which AIX version am I running?
Unable to connect to the AWS EC2 instance - "Host key verification failed"
Proving that the class of all ordinals is well ordered under $\in$
Proving that $\sqrt{2}$ is irrational with a math level of a middle school student?
Hyperplane is a convex
For any group $(G, \cdot)$, $a, b \in G \iff a \cdot b \in G$
Pattern in number of digits in $(10^n)!$
Finite Product of Closed Maps Need Not Be Closed
Maximum value of $3^x+5^x-9^x+15^x-25^x$ [duplicate]
Uniformity in convergence of the series $\sum_{n=0}^\infty f_n(x)=\sum_{n=0}^\infty (-1)^nx^n(1-x),~~x \in [0,1]$ [duplicate]
How to grasp the relationship between Laurent series depending on the region they are developed at
Sequence of functions - showing the series converges uniformly