SELinux (Security-Enhanced Linux) is a Linux kernel security module built into Linux and provides a mechanism by which access control policy can be enforced. It adopts Mandatory Access Control(MAC) model and allows administrator to enforce an administratively-set security policy over all the processes and files in the system. When SELinux is enabled it provides systems with power to adequately defend itself from any form of tampering with and or bypassing the applications security. MAC provides opportunity to enforce least privilege rule, it limits the privileges associated with executing processes, this can limit the extent of damage that may result from exploitation of vulnerability in any applications and system services.
SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it.
SELinux can be useful in enforcing confidentiality and integrity of data, and also in protecting processes from untrusted inputs.
Please note however, that SELinux does not serve as antivirus software neither does it serves as a replacement for passwords, firewalls, or other security systems, it very important to use layered security as SELinux is not an all-in-one security solution.
Use # getsebool -a to see all SELinux protection variables.
Sample output:
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
[tunji@localhost ~]$ getsebool -a |grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
Mod_security for CentOS
ModSecurity is an open source intrusion detection and prevention engine for web applications
It can be installed by using command: # yum install mod_security
Then adjust the configuration files according to your application requirements
/etc/httpd/modsecurity.d/