Chapter 2.


SELinux Policy Overview


This chapter is an overview of SELinux policy, some of its internals, and how it works. This chapter


discusses the policy in a more general way, where Chapter 3 Targeted Policy Overview focuses on the


details of the targeted policy as it ships in Red Hat Enterprise Linux. This chapter starts with a brief


overview of what policy is and where it resides. Next, the role of SELinux during boot is discussed.


This is followed by discussions on file security contexts, object classes and permissions, attributes,


types, access vectors, macros, users and roles, constraints, and a brief discussion summarizing special


kernel interfaces.


To see all of the details discussed in this chapter, you must make sure you have installed the policy


source and binary packages for the targeted policy:


  selinux policy targeted sources  version


  selinux policy targeted  version


Important


When you have the policy sources installed, rpm may assume that you have modified the policy and


may not automatically load a newly installed policy. This occurs if you have ever loaded the policy


from source, that is, run make load, make reload, or make install. New binary policy packages


install policy. XY


as, for example, $SELINUX_POLICY/policy.18.rpmnew.


If you have not modified the policy or want to use the binary policy package, you can mv


policy.18.rpmnew policy.18, then touch /.autorelabel and reboot. If you have modified the


policy and want to load your modifications, you must upgrade the policy source package and make


load. Policy building is discussed in Chapter 7 Compiling SELinux Policy .


If you have only built the policy but never loaded it, that is, have only run make policy, you should not


run into this situation. The binary policy installs cleanly, knowing that you are not running a custom


policy.


Work is ongoing to improve package installation logic so the entire process is automated by rpm.


Expect this to be included in a future update to Red Hat Enterprise Linux 4.


2.1. What Is Policy?


Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and


domains for processes, uses roles to limit the domains that can be entered, and has user identities to


specify the roles that can be attained. A domain is what a type is called when it is applied to a process.


A type is a way of grouping together like items based on their fundamental security sameness. This


doesn't necessarily have to do with the unique purpose of an application or the content of a document.


For example, an object such as a file can have any type of content and be for any purpose, but if it


belongs to a user and lives in that user's home directory, it is considered to be of a specific security


type,


user_home_t


.


These object types gain their sameness because they are accessible in the same way by the same set of


subjects. Similarly, processes tend to be of the same type if they have the same permissions as other


subjects. In the targeted policy, programs that run in the


unconfined_t


domain have an executable


with a type such as


sbin_t


. From an SELinux perspective, that means they are all equivalent in terms


of what they can and cannot do on the system.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved