• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding SELinux Policies in Linux

By admin

The SELinux policy describes the access permissions for all users, programs, processes, files, and devices they act upon. SELinux implements one of two different policies:

  • Targeted: This default policy applies access controls to certain (targeted) processes.
  • MLS: Multi-Level Security

Select the policy type from the SELinux GUI, or set the SELINUXTYPE directive in the /etc/selinux/config file. Example:

# vim /etc/selinux/config
SELINUXTYPE=targeted

With the targeted policy, targeted processes run in their own domain, called a confined domain. In a confined domain, the files that a targeted process has access to are limited. If a confined process is compromised by an attacker, the attacker’s access to resources and the possible damage they can do is also limited. SELinux denies access to these resources and logs the denial.

Only specific services are placed into these distinct security domains that are confined by the policy. For example, a user runs in a completely unconfined domain while services that listen on a network for client requests, such as named, httpd, and sshd, run in a specific, confined domain tailored to its operation. Processes that run as the Linux root user and perform tasks for users, such as the passwd application, are also confined.

Processes that are not targeted run in an unconfined domain. SELinux policy rules allow processes running in unconfined domains almost all access. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data. DAC rules still apply in an unconfined domain. The following are examples of unconfined domains:

  • initrc_t domain: init programs run in this unconfined domain.
  • kernel_t domain: Unconfined kernel processes run in this domain.
  • unconfined_t domain: Linux users logged in to the system run in this domain.

Many domains that are protected by SELinux have man pages describing how to customize their policies. The configuration for each policy is installed in the /etc/selinux/[SELINUXTYPE] directories. The following example shows a partial listing of the /etc/selinux directory with both targeted and MLS policies installed:

# ll -lrt /etc/selinux/
total 16
-rw-r--r--. 1 root root  546 Jan  1  2017 config
drwxr-xr-x. 2 root root    6 Aug  4  2017 tmp
-rw-r--r--. 1 root root 2321 Aug  4  2017 semanage.conf
drwxr-xr-x. 7 root root 4096 Feb 19 19:20 targeted
drwx------. 2 root root    6 Feb 19 19:20 final
drwxr-xr-x. 7 root root 4096 Mar  5 16:39 mls

The targeted policy is installed by default, but the MLS policy is not. To use the MLS policy, install the selinux-policy-mls package:

# yum install selinux-policy-mls
Beginners Guide to SELinux
How to Disable or set SELinux to Permissive mode
How to Check whether SELinux is Enabled or Disabled
How to enable/disable SELinux Modes in RHEL/CentOS
What are SELinux Modes and how to set them

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How To Migrate Existing Iptables rules to Nftables In CentOS/RHEL 8
  2. systemd command line reference (cheat sheet)
  3. Understanding How Umask Controls the Initial File / Directory Permissions in Linux
  4. mdadm: Cannot open /dev/sda1: Device or resource busy
  5. Understanding The /proc File System
  6. How to check failed or bad login attempts in Linux
  7. 3 Ways of Increasing Swap Space on Linux
  8. 5 Useful Examples of firewall-cmd command
  9. CentOS / RHEL 6,7 : How to configure hugepages
  10. “Bad id for repo: My Repo, byte = 2” yum update error

You May Also Like

Primary Sidebar

Recent Posts

  • Oracle Database – Configuring Secure Application Roles
  • Extend rule sets by using factors in Oracle Database Vault
  • What are Command Rules in oracle Database
  • Using Rule Sets in Oracle Database Vault
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary