Linux - SELinux Foundation

1. Concepts

*. identity

*. role (_r): to identity

*. domain (_t): to process. All processes run under a specified domain.

*. type (_t): to objects, like file, folder or socket

identity -> role -> process -> object

*. security context: user:role:domain/type

every user/process/object can have its security context.

user1:sysadmin_r:sysadmin_t – user1 is in the role sysadmin_r and running processes under domain sysadmin_t.

First do UNIX security checking, then do SELinux security checking.

2. Run modes

*. Permissive: off, but has warning.

*. Enforcing: on

3. Commands

*. getfattr: get extended attribute

*. ls –context/-Z/–lcontext/–scontext: show object’s security context

*. ps ax –context: show process’s security context

*. id: shows current user’s uid, gid and security context

*. chcon: change security context

*. chsid: change security id

*. newrole -r rolename: change role context