O'Reilly logo

SELinux by Bill McCarty

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Security Contexts

The discussion in the preceding section might lead you to believe that SELinux makes security decisions based on the identity of individual subjects and objects. In principle, such a system could be made to work. But the system would be unnecessarily unwieldy. Because processes related to a single program can generally be treated the same, it’s more convenient to make security decisions based on sets or classes of subjects and objects rather than on individual objects. For example, every instance of the SSH server should generally be given the same permissions, including read access to /etc/ssh/sshd_config. Similarly, all the files within a given directory often can be manipulated by the same subject. For example, the DHCP service should be permitted to manipulate any of the files in /var/state/dhcp. To simplify decision making, similar subjects can be grouped and similar objects can be grouped.

SELinux associates information called security attributes with subjects and objects and bases its security decisions on the values of these attributes. Three security attributes are used:

User identity

The user identity indicates the SELinux user account associated with a subject or object. In the case of a subject, the user identity gives the SELinux user account under which the process is running. In the case of an object, the user identity gives the user account that owns the object.

Tip

In tracking user identities, SELinux does not use the list of user accounts maintained ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required