Nov 7, 2017

SELinux requires a security context to be associated with every process (or subject) and object that are used by the security server to decide whether access is allowed or not as defined by the policy.

Within SELinux, a security context is represented as variable-length strings that define the SELinux user, their role, a type identifier and an optional MCS / MLS security range or level as follows:
user:role:type[:range]
Where:
userThe SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
roleThe SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
typeWhen a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.
When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
rangeThis field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of:
  • A single security level that contains a sensitivity level and zero or more categories (e.g. s0s1:c0s7:c10.c15).
  • range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).

Post a Comment

Featured Post

DMARC is a type of email authentication protocol that leverages the widely used SPF and DKIM protocols to improve a sender’s understanding of how their email in circulation is processed.

Email claiming to be from their domain is analyzed by receiving organizations and a digest of acceptance/failures is sent back to the sende...