Product SiteDocumentation Site

Chapter 44. Security and SELinux

44.1. Access Control Mechanisms (ACMs)
44.1.1. Discretionary Access Control (DAC)
44.1.2. Access Control Lists (ACLs)
44.1.3. Mandatory Access Control (MAC)
44.1.4. Role-based Access Control (RBAC)
44.1.5. Multi-Level Security (MLS)
44.1.6. Multi-Category Security (MCS)
44.2. Introduction to SELinux
44.2.1. SELinux Overview
44.2.2. Files Related to SELinux
44.2.3. Additional Resources
44.3. Brief Background and History of SELinux
44.4. Multi-Category Security (MCS)
44.4.1. Introduction
44.4.2. Applications for Multi-Category Security
44.4.3. SELinux Security Contexts
44.5. Getting Started with Multi-Category Security (MCS)
44.5.1. Introduction
44.5.2. Comparing SELinux and Standard Linux User Identities
44.5.3. Configuring Categories
44.5.4. Assigning Categories to Users
44.5.5. Assigning Categories to Files
44.6. Multi-Level Security (MLS)
44.6.1. Why Multi-Level?
44.6.2. Security Levels, Objects and Subjects
44.6.3. MLS Policy
44.6.4. LSPP Certification
44.7. SELinux Policy Overview
44.7.1. What is the SELinux Policy?
44.7.2. Where is the Policy?
44.7.3. The Role of Policy in the Boot Process
44.7.4. Object Classes and Permissions
44.8. Targeted Policy Overview
44.8.1. What is the Targeted Policy?
44.8.2. Files and Directories of the Targeted Policy
44.8.3. Understanding the Users and Roles in the Targeted Policy

44.1. Access Control Mechanisms (ACMs)

This section provides a basic introduction to Access Control Mechanisms (ACMs). ACMs provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size.

44.1.1. Discretionary Access Control (DAC)

Discretionary Access Control (DAC) defines the basic access controls for objects in a filesystem. This is the typical access control provided by file permissions, sharing, etc. Such access is generally at the discretion of the owner of the object (file, directory, device, etc.).
DAC provides a means of restricting access to objects based on the identity of the users or groups (subjects) that try to access those objects. Depending on a subject's access permissions, they may also be able to pass permissions to other subjects.

44.1.2. Access Control Lists (ACLs)

Access Control Lists (ACLs) provide further control over which objects a subject can access. For more information, refer to Chapter 8, Access Control Lists.

44.1.3. Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a security mechanism that restricts the level of control that users (subjects) have over the objects that they create. Unlike in a DAC implementation, where users have full control over their own files, directories, etc., MAC adds additional labels, or categories, to all file system objects. Users and processes must have the appropriate access to these categories before they can interact with these objects.
In Red Hat Enterprise Linux, MAC is enforced by SELinux. For more information, refer to Section 44.2, “Introduction to SELinux”.

44.1.4. Role-based Access Control (RBAC)

Role-based Access Control (RBAC) is an alternative method of controlling user access to file system objects. Instead of access being controlled by user permissions, the system administrator establishes Roles based on business functional requirements or similar criteria. These Roles have different types and levels of access to objects.
In contrast to DAC or MAC systems, where users have access to objects based on their own and the object's permissions, users in an RBAC system must be members of the appropriate group, or Role, before they can interact with files, directories, devices, etc.
From an administrative point of view, this makes it easier to control who has access to various parts of the file system, just by controlling their group memberships.

44.1.5. Multi-Level Security (MLS)

Multi-Level Security (MLS) is a specific Mandatory Access Control (MAC) security scheme. Under this scheme, processes are called Subjects. Files, sockets and other passive operating system entities are called Objects. For more information, refer to Section 44.6, “Multi-Level Security (MLS)”.

44.1.6. Multi-Category Security (MCS)

Multi-Category Security (MCS) is an enhancement to SELinux, and allows users to label files with categories. MCS is an adaptation of MLSand re-uses much of the MLS framework in SELinux. For more information, refer to Section 44.4.1, “Introduction”