After spending a week in Washington learning the darkest secrets of SELinux, I can see why a lot of people “just turn it off”. This is terrible. SELinux can save your @$$ in the event that you get hit with a 0-day. Most admins don’t understand SELinux, other than that “it breaks stuff”, and just disable it. It’s understandable, since most people don’t work for the DoD or other agencies where Mandatory Access Controls are used. SELinux is not Discretionary Access Control Lists (DACLs) like in Windows, or UGO- style controls in Unix… or even POSIX ACLs. SELinux labels are much more powerful. Properly configured and running, SELinux can prevent root from doing everyday root things like cat’ing /etc/shadow. So imagine what SELinux can do if someone pops your webserver. Without SELinux, they would have the access privileges of the Apache user. But with SELinux, they can only access files and ports that the underlying httpd process is allowed to access.
So let’s try to pull the veil of mystery back on SELinux…. (continue reading…)