SE LINUX How to PART 1 : users, roles, types, levels and domains

Security-Enhanced Linux (SELinux) is a Linux security module that is built into the Linux kernel. SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and, optionally, Multi-Level Security (MLS).

• When, in the traditionnary Linux/Unix DAC (discretionary access control), access is controlled based only on Linux user and group IDs.

$ ls -l file1

-rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1

The first three permission bits, rw, control the access the Linux user1 user (in this case, the owner) has to file1. The next three permission bits, rw-, control the access the Linux group1 group has to file1. The last three permission bits, r--, control the access everyone else has to file1, which includes all users and processes.

• In SELinux, the context can be consulted using ls -Z command:

$ ls -Z file1

-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1

SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).

SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first. 

Each Linux user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions placed on SELinux users. Run the semanage login -l command as the Linux root user to view a list of mappings between SELinux and Linux user accounts :

# /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                           unconfined_u              s0-s0:c0.c1023
system_u                   system_u                    s0-s0:c0.c1023

The last column, MLS/MCS Range, is the level used by Multi-Level Security (MLS) and Multi-Category Security (MCS)

# ROLES # Part of SELinux is the Role-Based Access Control (RBAC) security model. SELinux users are authorized for roles, and roles are authorized for domains.

# TYPES # The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files.  Processes are separated from each other by running in their own domains.

# LEVELS # The level is an attribute of MLS and MCS. An MLS range is a pair of levels (example s0-s2) Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity. If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (ie. CompanyConfidential). MCS in Fedora supports 1024 different categories: c0 through to c1023. MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments.

To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy via the /etc/selinux/config file.