Information About Security-Enhanced Linux
Security-Enhanced Linux (SELinux)
Security-Enhanced Linux (SELinux) is a solution composed of Linux kernel security module and system utilities to incorporate a strong, flexible Mandatory Access Control (MAC) architecture into Cisco IOS XE platforms.
Purpose of SELinux
SELinux provides an enhanced mechanism to enforce the separation of information, based on confidentiality and integrity requirements, which addresses threats of tampering and bypassing of application security mechanisms and enables the confinement of damage that malicious or flawed applications can cause.
SELinux Mechanism
SELinux enforces mandatory access control policies that confine user programs and system services to the minimum privilege required to perform their assigned functionality. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (for example, through buffer overflows or misconfigurations). This is a practical implementation of principle of least privilege by enforcing MAC on Cisco IOS XE platforms. This confinement mechanism works independently of the traditional Linux access control mechanisms. SELinux allows you to define policies to control the access from an application process to any resource object, thereby allowing for the clear definition and confinement of process behavior.
SELinux Modes in Cisco IOS XE
SELinux can operate either in the Permissive mode or the Enforcing mode, when enabled on a system.
-
Permissive Mode: In Permissive mode, SELinux does not enforce the policy, and only generates system logs for any denials caused by violation of the resource access policy. The operation is not denied, but only logged for resource access policy violation.
-
Enforcing Mode: In Enforcing mode, the SELinux policy is enabled and enforced. The Enforcing mode denies resource access based on the access policy rules, and generates system logs.
SELinux is enabled in the Enforcing mode by default on supported Cisco IOS XE platforms. In the Enforcing mode, any system resource access that does not have the necessary allow policy is treated as a violation, and the operation is denied. The violating operation fails when a denial occurs, and system logs are generated. In Enforcing mode, the solution works in access-violation prevention mode.
Note |
By default, SELinux is in the Enforcing mode. |