SELinux Concepts: Difference between revisions
No edit summary |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
=Policy= | =Policy= | ||
The SELinux Policy is the set of rules that tells the SELinux security engine what to do. A policy defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. | The SELinux Policy is the set of rules that tells the SELinux security engine what to do. A policy defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. Security policies can be modified at run time via [[#SELinux_Booleans|SELinux booleans]]. | ||
=Type and Domain= | =Type and Domain= | ||
Types and domains are equivalent, the difference being that types apply to objects while domains apply to processes. | Types and domains are equivalent, the difference being that types apply to objects while domains apply to processes. | ||
The type can be one of the following: | |||
* <span id='type_targeted'></span>targeted - Targeted processes are protected. | |||
* <span id='type_ minimum'></span>minimum - Modification of targeted policy. Only selected processes are protected. | |||
* <span id='type_ mis'></span>mls - Multi Level Security protection. | |||
It is configured with <tt>SELINUXTYPE</tt> in /etc/selinux/config. | |||
The actual type is reported by "sestatus": | |||
<pre> | |||
# sestatus | |||
SELinux status: enabled | |||
... | |||
Loaded policy name: targeted | |||
... | |||
</pre> | |||
=Module= | =Module= | ||
Line 22: | Line 39: | ||
The list of modules can be obtained with: | The list of modules can be obtained with: | ||
semodule -l | |||
semodule -l | |||
New modules can be installed with: | New modules can be installed with: | ||
semodule -i <module-name>.pp | |||
semodule -i <module-name>.pp | |||
</ | =<span id='SELinux_Booleans'></span>SELinux Policy Booleans= | ||
SELinux policy booleans are boolean values that enable or disable conditional rules. The booleans allow runtime modifications of the [[#Policy|security policy]] without having to load a new policy. | |||
{{Internal|SELinux_Operations#SELinux_Policy_Boolean_Operations|SELinux Policy Booleans Operations}} |
Latest revision as of 05:03, 27 December 2018
Internal
Context
Processes and files are associated with an SELinux context that contains the SELinux user, role, type, and optionally a level. When running SELinux, this information is used to make access control decisions.
Policy
The SELinux Policy is the set of rules that tells the SELinux security engine what to do. A policy defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. Security policies can be modified at run time via SELinux booleans.
Type and Domain
Types and domains are equivalent, the difference being that types apply to objects while domains apply to processes.
The type can be one of the following:
- targeted - Targeted processes are protected.
- minimum - Modification of targeted policy. Only selected processes are protected.
- mls - Multi Level Security protection.
It is configured with SELINUXTYPE in /etc/selinux/config.
The actual type is reported by "sestatus":
# sestatus SELinux status: enabled ... Loaded policy name: targeted ...
Module
The list of modules can be obtained with:
semodule -l
New modules can be installed with:
semodule -i <module-name>.pp
SELinux Policy Booleans
SELinux policy booleans are boolean values that enable or disable conditional rules. The booleans allow runtime modifications of the security policy without having to load a new policy.