From Fedora Project Wiki

< Docs‎ | Drafts‎ | SELinux User Guide‎ | SELinux Implementation Phase

Revision as of 04:53, 20 August 2008 by Mdious (talk | contribs) (adding content from local builds)

Introduction

On Linux® operating systems, everything is represented as a file. For example, hard disk drives are represented as /dev/hdax and /dev/sdax files, and processes, such as Mozilla® Firefox® and the Apache HTTP Server, are represented as files in the proc file system (/proc/). Files are called objects, and processes (including users) are called subjects. Linux operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact and access objects. On systems using DAC, users control the permissions of objects (files and directories) that they own. They could, for example, make their home directories world-readable, giving subjects (users and processes) access to potentially sensitive information.

The following is an example of permissions used on a Linux operating system that does not run SELinux. Use the ls -l command to view object (file) permissions: 

-rwxrw-r-- 1 user1 group1 0 Aug 18 10:08 file1

The first three permission bits, rwx, control the access the Linux user1 user (in this case, the owner) has to the file1 object. The next three permission bits, rw-, control the access the Linux group1 group has to the file1 object. The last three permission bits, r--, control the access everyone else has to the file1 object. This includes all subjects (users and processes). By default, when a new object (a file) is created, everyone has read permissions. If objects have read permissions, and their parent folder allows everyone read and execute permissions, all subjects (users and processes) have read access to these objects. This is not desirable. Note: on Fedora 10, by default, home directories only allow read, write, and execute permissions to the owner. Other subjects, excluding the Linux user root, do not have access. Also, the permissions in these examples may differ from your system. These examples purposely change the permissions to differentiate between the permissions of the owner, group, and everyone else.

Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel. Stepping beyond traditional UNIX® permissions, MAC systems add fine-grained controls for defining a user's access to objects, such as files and directories. On systems running SELinux, all objects, and therefore everything on the system, are labeled with an SELinux context, that contains additional information, which is used to make access control decisions, for example, whether a subject (a process) has access to open an object (a file).

The following is an example of the additional SELinux information used on Linux operating systems that use SELinux. This information is called the SELinux context, and is viewed using the ls -Z command: 

-rwxrw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0      file1

In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a category (s0). This information is used to make access control decisions. On DAC systems, only the Linux user and group ID are used to make access decisions. SELinux allow and denying rules are checked after DAC rules. SELinux allow and deny rules are not used if DAC rules deny access first.

Linux and SELinux users

On systems running SELinux, there are standard Linux users, as well as SELinux users. SELinux users are part of the SELinux context (the additional labels on subjects and objects), and are mapped to regular Linux users. To avoid confusion, this guide uses "Linux user" and "SELinux user" to differentiate between the two.

Retrieved from "https://fedoraproject.org/w/index.php?title=Docs/Drafts/SELinux_User_Guide/SELinux_Implementation_Phase/Introduction&oldid=45530"