1. Administering SELinux
  2. Administering SELinux Security Context

3 Administering SELinux Security Context

Under SELinux, all file systems, files, directories, devices, and processes have an associated security context. For files, SELinux stores a context label in the extended attributes of the file system. The context contains more information about a system object: the SELinux user, their role, their type, and the security level. SELinux uses this context information to control access by processes, Linux users, and files. This chapter provides information about how to administer SELinux Security Context

You can specify the -Z option with certain commands (ls, ps, and id) to display the SELinux context by using the following syntax: 

SELinux user:Role:Type:Level
SELinux user

An SELinux user account compliments a regular Linux user account. SELinux maps every Linux user to an SELinux user identity that is used in the SELinux context for the processes in a user session.

Role

In the Role-Based Access Control (RBAC) security model, a role acts as an intermediary abstraction layer between SELinux process domains or file types and an SELinux user. Processes run in specific SELinux domains, and file system objects are assigned SELinux file types. SELinux users are authorized to perform specified roles, and roles are authorized for specified SELinux domains and file types. A user's role defines which process domains and file types the user can access, and hence which processes and files the user can access.

Type

A type defines an SELinux file type or an SELinux process domain. Processes are separated from each other by running in their own domains. This separation prevents processes from accessing files that other processes use, and prevents processes from accessing other processes. The SELinux policy rules define the access that process domains have to file types and to other process domains.

Level

A level is an attribute of Multi-Level Security (MLS) and Multi-Category Security (MCS). An MLS range is a pair of sensitivity levels, written as low_level-high_level. The range can be abbreviated as low_level if the levels are identical. For example, s0 is the same as s0-s0. Each level has an optional set of security categories to which it applies. If the set is contiguous, it can be abbreviated. For example, s0:c0.c3 is the same as s0:c0,c1,c2,c3.