SELinux
SELinux(Security-Enhanced Linux) is a security extension module of the Linux kernel developed mainly by NSA(national security agency) in the united states. We will add the “secure OS” function to the Linux kernel. It is not the name of the distribution.
The biggest feature is that each process is designed to move with minimal authority considering the risk of root privilege.
The main functions are the following five. ref: security academy study meeting
1. MAC (Mandatory Access Control)
Only security administrator can set security
2. TE (Type Enforcement)
Access control for each process
3. Row Based Access Control(RBAC)
By assigning the administrative authority to the user, it is possible to avoid a mistake in operation with the conventional root
4. Domain transition
Allow only preset privilege escalation (deeply related to TE of 2)
5. Audit log
It is possible to logs of operations inside and outside the authority.
[vagrant@localhost tests]$ cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
disabled なので無効化されています。
getenforceでも見れるようです。
[vagrant@localhost tests]$ getenforce Disabled