Access Decisions
The SELinux security server makes two basic kinds of decisions:
- Access decisions
Access decisions determine whether a given subject is allowed to perform a given operation on a given object.
- Transition decisions
Transition decisions, also called labeling decisions, determine the types assigned to newly created objects, particularly processes and files.
This section explains access decisions—the more frequently made and important of the two kinds of decisions—and the following section explains transition decisions.
Conceptually, each object class has an associated bitmap called an access vector, containing one bit for each action defined for the class. Figure 2-3 shows a simplified bitmap for the file class. An actual bitmap for the file class would include each of the more than one dozen actions defined for the file class, rather than merely the common actions shown in the figure.
Figure 2-3. A simplified access vector for the file class
As explained earlier in this chapter, the SELinux security server makes access decisions by considering the security context of the subject and object of the action, the security class of the object, and the action requested. When the security server has made the access decision, it returns an access vector that indicates the allowed actions. More precisely, if the security server finds one or more policy rules matching the request, it ...
Get SELinux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
