What is Security-enhanced Linux (SELinux), Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-based Access Control (RBAC)

Security-enhanced Linux (SELinux) developed by the US National Security Agency, is an implementation of a Mandatory Access Control in Linux. SELinux further enhances the security of a Linux computer.

SELinux provides a way to separate subjects and objects using a technology known as labeling, and monitors their interaction.

SELinux is intergrated in to the Linux kernel.

 Different types of access controls are explained below.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) allows authorized users to change the access control attributes of objects, thereby specifying whether other users have access to the object. A simple form of Discretionary Access Control (DAC) might be file passwords, where access to a file requires the knowledge of a password created by the file owner. In Linux, the file permission is the general form of Discretionary Access Control (DAC).

The DAC mechanisms have a basic weakness, and that is they fail to recognize a fundamental difference between human users and computer programs.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is another type of access control where the MAC mechanism constrains the ability of a subject (users or processes) to access or  perform some sort of operation on an object (files, directories, TCP/UDP ports etc). Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place.

Under Mandatory Access Control (MAC), the super user (root) controls all interactions of software on the system..


Role-based Access Control (RBAC)

Role-based Access Control (RBAC) is another method of controlling user access to file system objects. In Role-based Access Control (RBAC), the system administrator establishes Roles based on functional requirements or similar criteria. These Roles have different types and levels of access to objects.

In contrast to DAC or MAC systems, where users have access to objects based on their own and the object's permissions, users in an RBAC system must be members of the appropriate group, or Role, before they can interact with files, directories, devices, etc.

Note: You should be familiar with Linux file permissions to learn this lesson. Click the following link to learn Linux file permissions.

Related Tutorials
• Basic Linux Commands
• Linux file permissions
• Security-enhanced Linux (SELinux) Security Contexts
• How Security-enhanced Linux (SELinux) works
• Security-enhanced Linux (SELinux) configuration-file (/etc/selinux/conf)
• Security-enhanced Linux (SELinux) - Filesystem Relabeling
• Important Security-enhanced Linux (SELinux) commands