Introduction

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).

This article will introduce some selinux internals as well as some useful examples.

Subjects
programs
Objects
files that accessed by programs
Policy
access control
  • targeted - Targeted processes are protected.
  • minimum - Modification of targeted policy. Only selected processes are protected.
  • mls - Multi Level Security protection.
Mode
Enforcing or Permissive or Disabled. Use setenforce to change mode and setenforce to verify it.
  • enforcing - SELinux security policy is enforced.
  • permissive - SELinux prints warnings instead of enforcing.
  • disabled - No SELinux policy is loaded.

View SELinux Status:

sestatus -v

SELinux Map

unix users(root,toor)
	|
	| 1:1
	v
SELinux Identities(unconfined_u, user_u)
	|
	| 1:N
	v
SELinux Roles(unconfined_r, sysadm_r, user_r)
	|
	| 1:1
	v
SELinux Domains(sysadm_t, user_t)

Process

user login
	|
	| assign default security context
	v
user
	|
	| inherited by
	v
process1, process2 ...

Policy

operations
	|
	| check against policy
	v
authorized|forbidden

Standard policies

  • targeted
  • strict

Security Context

  • user identity
  • role
  • domain
          role
domain1 <-------> domain2

       identity
role1 <---------> role2

Rights is associated with domains. domains is also a type.

dedicated domain:

sshd: sshd_exec_t -> sshd_t

DAC
Descretionary Access Control
MAC
Mandatory Access Control
MCS
Multi Category Security
LSM
Linux Security Module

References