Jump to: navigation, search

SELinux is flexible Mandatory Access Control (MAC) for Linux. This differs from the standard Discrestionary Access Control (DAC) system of unix octal permissions and acls as the owner of a file in a DAC system is also free to change it's DAC permission. In a MAC system, even owning a file is not sufficient for you to remove or alter it's MAC labels.

SELinux Concepts

SELinux rules are based on type enforcement. This takes the label of the current process, the label of the target, and the label of the type of action, to determine if this should be allowed to proceed.

For example, if a process with the label `unconfined_t` attempted to perform the action of `write` to a file with a label of `user_home_t` this is allowed because this action is permitted in the set of rules for that triplet.

However, if a process with a label of `chronyd_t` attempted to `write` to a file with `user_home_t` this would be denied as the chronyd process should never need to write to a user home directory.

This is how a system like SELinux provides security boundaries to processes to limit what they can do.

An important concept in SELinux is a transition - the act of changing a running processes label from a source to a destination.

For example when you launch a process in your shell since the shell runs as unconfined_t then no transition occurs and the new process inherits this type. If something like a webserver were compromised by an attacker, then any new processes from the webserver context httpd_t would also remain in httpd_t. This is how SELinux confines what a compromised process can achieve by preventing the process from changing it's own context.

However, there are cases where we don't want to remain in the context of the source process. We need to change our context. This requires a transition. Given a running process with source type S, and a binary with type B, if a transition rule exists for S + B then the process will be created in a target context T.

For example, systemd runs as init_t and when it starts the webserver service from it's binary which is labeled as httpd_exec_t, then a transition rule exists between init_t + httpd_exec_t and the resulting process runs in the target context of httpd_t. These transitions are critical to how an SELinux enforcing system operates.