How Security-enhanced Linux (SELinux) works

Security-enhanced Linux (SELinux) has hooks at strategic points where the security is required within the core kernel code(Example: When a file is about to be read by a user). These hooks allow Security-enhanced Linux (SELinux) to request extended access control decisions. Access control decisions usually are made between a process (Example: cat) and an object (Example: a file, /etc/shadow) for a specific permission (read).

When a process (here cat command, which is a Subject), needs to access a file ( which is an object, /etc/shadow), the policy enforcement server in the Linux Kernel checks an Access Vector Cache (AVC), where subject and object permissions are cached. If there is no enough data in the Access Vector Cache (AVC), the request continues to the security server, which searches for the security context of the process and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in “/var/log/messages” if permission is denied.

In Linux, DAC checks occur first and MAC based Security-enhanced Linux (SELinux) checks occur after DAC check.

There are three possible statuses for Security-enhanced Linux (SELinux): "enforcing", "permissive", and "disabled". As the name "disabled" SELinux and "enforcing" SELinux describes, "disabled" mode disables Security-enhanced Linux (SELinux) and "enforcing" mode enables Security-enhanced Linux (SELinux). The "permissive" means that any SELinux rules that are violated are logged; however, permissive SELinux doesn't stop anything.