Security-Enhanced Linux (SE Linux) is a Linux Kernel Module that enhances the security of SLXOS's underlying Linux OS. SE Linux works by providing security policies for access control at the operating system level. Support for Mandatory Access Control (MAC) is also available for use.
Security policies are a set of rules that implement access control restrictions for applications, processes, and files on the SLXOS's operating system. These rules are used by SE Linux to enhance security by preventing bypass of application security mechanism and enable containing the potential damages due to malicious or misbehaving applications.
Support for SE Linux is introduced in SLXOS version 20.4.1. As a part of this, MAC policy support for SSHD and HTTPD modules and their dependencies are added.
SE Linux has three modes of operation:
In the Disabled mode, the operating system does not implement SE Linux policy and also does not label any persistent objects such as files. Not marking these persistent objects makes it harder to implement SE Linux in the future.
In the Permissive mode, the operating system implements the SE Linux policy fully. All policy enforcement activities are logged. However, the policy is not enforced.
In the Enforcing mode, the operating system implements the SE Linux policy completely including denying access, and activity logging.
SE Linux Permissive mode is enabled by default and cannot be changed.
Note
The last 1000 error log entries will be saved in the INFRA.txt file within
the support save logs.
Note
This feature is enabled on all platforms of SLXOS.Use the show selinux statuscommand to verify the current SE Linux status.
SLX # show selinux status SE Linux status: enabled SE Linuxfs mount: /sys/fs/selinux SE Linux root directory: /etc/selinux Loaded policy name: mls Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31