The SELinux policy describes the access permissions for all users, programs, processes, files, and devices they act upon. SELinux implements one of two different policies:
Targeted
: This default policy applies access controls to certain (targeted) processes.MLS
: Multi-Level Security
Select the policy type from the SELinux GUI, or set the SELINUXTYPE directive in the /etc/selinux/config
file. Example:
# vim /etc/selinux/config SELINUXTYPE=targeted
With the targeted policy, targeted processes run in their own domain, called a confined
domain. In a confined domain, the files that a targeted process has access to are limited. If a confined process is compromised by an attacker, the attacker’s access to resources and the possible damage they can do is also limited. SELinux denies access to these resources and logs the denial.
Only specific services are placed into these distinct security domains that are confined by the policy. For example, a user runs in a completely unconfined domain while services that listen on a network for client requests, such as named, httpd, and sshd, run in a specific, confined domain tailored to its operation. Processes that run as the Linux root user and perform tasks for users, such as the passwd application, are also confined.
Processes that are not targeted run in an unconfined domain. SELinux policy rules allow processes running in unconfined domains almost all access. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data. DAC rules still apply in an unconfined domain. The following are examples of unconfined domains:
initrc_t domain
: init programs run in this unconfined domain.kernel_t domain
: Unconfined kernel processes run in this domain.unconfined_t domain
: Linux users logged in to the system run in this domain.
Many domains that are protected by SELinux have man pages describing how to customize their policies. The configuration for each policy is installed in the /etc/selinux/[SELINUXTYPE]
directories. The following example shows a partial listing of the /etc/selinux
directory with both targeted and MLS policies installed:
# ll -lrt /etc/selinux/ total 16 -rw-r--r--. 1 root root 546 Jan 1 2017 config drwxr-xr-x. 2 root root 6 Aug 4 2017 tmp -rw-r--r--. 1 root root 2321 Aug 4 2017 semanage.conf drwxr-xr-x. 7 root root 4096 Feb 19 19:20 targeted drwx------. 2 root root 6 Feb 19 19:20 final drwxr-xr-x. 7 root root 4096 Mar 5 16:39 mls
The targeted policy is installed by default, but the MLS policy is not. To use the MLS policy, install the selinux-policy-mls
package:
# yum install selinux-policy-mls