Security-enhanced Linux (SELinux) Security Contexts
In Security-enhanced Linux (SELinux), everything is an object and access to the object is controlled by security elements stored in the inode's extended attribute fields. These elements are called Security Contexts (Security-enhanced Linux (SELinux), stores security contexts in the file systems as an extended attribute of a file).
Security-enhanced Linux (SELinux), decide whether the access should be granted by refering the security context of the subject (Ex: a process) against the action attempted (Ex. a file read operation) and the security context of the object (such as a file or a socket).
A security context consists mainly of three elements: a user identity, role and type (also known as a domain), which are discussed below.
A user security context defines a Security-enhanced Linux (SELinux) user account associated with a subject or object. If the user who logged in to the system is “root” they will have the Security-enhanced Linux (SELinux) user value of “root”. Other users will have the Security-enhanced Linux (SELinux) user value of “user_u”. The processes that are running in a Security-enhanced Linux (SELinux) enabled Linux computer have a value of “system_u”.
A role defines a set of permissions granted to a user. Files have a role of “object_r”. Processes and users have a role of “system_r”.
Domains and types are almost similar. The term "domain" is used when referring to processes and the term "type" is used referring to objects. A domain is like a sandbox. It is a combination of subjects and objects that may interact with each other. Types are denoted by a "_t" suffix to distinguish them from user and roles. Types are used by Security-enhanced Linux (SELinux) to make authorization decisions.
If you've enabled SELinux, the "ls -Z" command displays the current contexts.
[root@localhost ~]# ls -lZ
-rw------- root root system_u:object_r:user_home_t anaconda-ks.cfg
drwx------ root root root:object_r:user_home_t Desktop
-rw-r--r-- root root root:object_r:user_home_t install.log
-rw-r--r-- root root root:object_r:user_home_t install.log.syslog
Note: The “-Z” option can be used with other Linux commands like ps, cp, id etc.
• [root@RHEL04 ~]# ps -auxZ
• [root@RHEL04 ~]# cp -Z root:object_r:httpd_sys_content_t ./index.html /webroot
• [root@RHEL04 public.html]# id -Z