Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).
This article will introduce some selinux internals as well as some useful examples.
SELinux Related Concepts
- files that accessed by programs
- access control
- targeted - Targeted processes are protected.
- minimum - Modification of targeted policy. Only selected processes are protected.
- mls - Multi Level Security protection.
- Enforcing or Permissive or Disabled. Use
setenforceto change mode and
setenforceto verify it.
- enforcing - SELinux security policy is enforced.
- permissive - SELinux prints warnings instead of enforcing.
- disabled - No SELinux policy is loaded.
View SELinux Status:
unix users(root,toor) | | 1:1 v SELinux Identities(unconfined_u, user_u) | | 1:N v SELinux Roles(unconfined_r, sysadm_r, user_r) | | 1:1 v SELinux Domains(sysadm_t, user_t)
user login | | assign default security context v user | | inherited by v process1, process2 ...
operations | | check against policy v authorized|forbidden
- user identity
Rights is associated with domains. domains is also a type.
sshd: sshd_exec_t -> sshd_t
- Descretionary Access Control
- Mandatory Access Control
- Multi Category Security
- Linux Security Module