SELinux Overview

SELinux implements MAC through the use of Type Enforcement (TE), Role Based Access Controls (RBAC), and Multi-Level Security (MLS).

SELinux defines the access and transition rights of every user, application, process, and file on the system.

The SELinux Decision Making Process

When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server’s matrix.

Reference : http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html

Beyond SELinux: Enforcing Confidentiality and Integrity for Applications and Data — Star Lab Software

SELinux Explained with Examples in Easy Language (computernetworkingnotes.com)

SELinux/Tutorials/Creating your own policy module file – Gentoo Wiki

PowerPoint Presentation (aalto.fi)

1510.05497.pdf (arxiv.org)

isbn9789526081144.pdf (aalto.fi)

1608.02339.pdf (arxiv.org)

Scroll to Top