Portal:SELinux/Concepts

Jump to: navigation, search

SELinux is a flexible Mandatory Access Control (MAC) system for Linux. This differs from the standard Discrestionary Access Control (DAC) system of UNIX octal permissions and ACLs, as the owner of a file in a DAC system is also free to change its DAC permission. In a MAC system, even owning a file is not sufficient for you to remove or alter its MAC labels.

SELinux Concepts

SELinux rules are based on type enforcement. This takes the label of the current process, the label of the target resource, and the label of the type of action, to determine if the current operation should be allowed to proceed.

For example, if a process with the label `unconfined_t` attempted to perform the action of `write` to a file with a label of `user_home_t` this is allowed because this action is permitted in the set of rules for that triplet.

However, if a process with a label of `chronyd_t` attempted to `write` to a file with `user_home_t` this would be denied as the chronyd process should never need to write to a user home directory.

This is how a system like SELinux provides security boundaries to processes to limit what they can do.

An important concept in SELinux is a transition - the act of changing a running processes label from a source to a destination.

For example when you launch a process in your shell and the shell runs as `unconfined_t`, then no transition occurs and the new process inherits this type. If something like a webserver were compromised by an attacker, then any new processes from the webserver context `httpd_t` would also remain in `httpd_t`. This is how SELinux confines what a compromised process can achieve by preventing the process from changing its own context.

However, there are cases where we don't want to remain in the context of the source process. We need to change our context. This requires a transition. Given a running process with source type S, and a binary with type B, if a transition rule exists for S + B then the process will be created in a target context T.

For example, systemd runs as `init_t` and when it starts the webserver service from its binary which is labeled as `httpd_exec_t`, then a transition rule exists between `init_t` + `httpd_exec_t` and the resulting process runs in the target context of `httpd_t`. These transitions are critical to how an SELinux enforcing system operates.

Retrieved from "https://en.opensuse.org/index.php?title=Portal:SELinux/Concepts&oldid=193422"