安全增强式Linux(SELinux, Security-Enhanced Linux)是一种强制访问控制(mandatory access control)的实现。它的作法是以最小权限原则(principle of least privilege)为基础,在Linux核心中使用Linux安全模块(Linux Security Modules)。它并非一个Linux发布版,而是一组可以套用在类Unix操作系统(如Linux、BSD等)的修改。SELinux 是 MAC (Mandatory Access Control,强制访问控制系统)的一个实现,已在Linux内核中存在了近十年,对于目前可用的Linux安全模块来说,SELinux功能最全面,测试最充分,是Linux内核的安全保镖。
SELinux is a security enhancement to Linux which allows users and administrators more control over access control.
Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.
SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication
SELinux in Ubuntu
SELinux can be enabled in Ubuntu by installing the "selinux" meta-package, which will make the needed changes to the system, and install the Tresys policies for Ubuntu:
sudo apt-get install selinux
After installation, you will be prompted to reboot the system to label and activate SELinux.