MAC under SELinux allows you to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. Access control decisions are based on all the
security-relevant information available, and not just authenticated user identity. When security-relevant access takes place, such as when a process attempts to open a file, the operation is intercepted in the kernel by SELinux. If an SELinux policy rule allows the operation, it continues; otherwise, the operation is blocked and the process receives an error. The kernel checks and enforces MAC rules after it checks DAC rules. SELinux policy rules are not used if DAC rules deny access first.
This is how the process flow of SELinux happens,
- A SysCall (System Call) will be generated for a command being executed.
Check if SELinux is enabled or disabled:
- If SELinux is disabled, SysCall will be processed normally.
- If SELinux is enabled, all SysCalls will be processed through it.
- SELinux will log the SysCall in the /var/log/audit/audit.log file.
Check if SELinux mode is Enforcing or Permissive:
- If SELinux mode is set to Permissive, SysCall will be processed normally.
- If SELinux mode is set to Enforcing, call is not yet executed and SELinux proceeds to Security Policy Check.
Check SysCall again SELinux Security Policy
- If SysCall is allowed by policy, SysCall is processed.
- If SysCall is not allowed by policy, SysCall is terminated.
There are many different SELinux software packages; some of these are installed by default, and some are not. The following is a list of the SELinux packages that are installed by default:
- policycoreutils: Provides utilities such as load_policy, restorecon, secon, setfiles,
semodule, sestatus, and setsebool for operating and managing SELinux
- libselinux-python: Contains Python bindings for developing SELinux applications
- python3-libselinux: Contains Python bindings for developing SELinux applications
- selinux-policy: Provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy and is used as a basis for other policies, such as the SELinux targeted policy.
- libselinux: Provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions
- libselinux-utils: Provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, and togglesebool tools
The following is a list of the SELinux packages that are not installed by default:
- setroubleshoot-server: Translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed by using sealert
- mcstrans: Translates levels, such as s0-s0:c0.c1023, to an easier-to-read form, such as SystemLow-SystemHigh
- selinux-policy-targeted: Provides the targeted policy. For MLS policy, install selinux-policy-mls.
- policycoreutils-python-utils: Provides additional Python utilities for operating SELinux, such as audit2allow, audit2why, chcat, and semanage.
- policycoreutils-gui: Provides system-config-selinux, which is a graphical tool for managing SELinux
- setools-console: Provides the Tresys Technology SETools distribution, several tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management