From Fedora Project Wiki
Line 20: Line 20:
SELinux rules are not checked if DAC rules deny access.
SELinux rules are not checked if DAC rules deny access.


RBAC: Roles are associated with domain types, and domain types are associated with users. Roles do not restrict access between subjects and objects, but limit which users can exist and transition to which domains. SELinux users and roles are important when writing policies, but do not restrict access per se, and as such, are not discussed in detail in this guide.
RBAC: Roles are associated with domain types, and domain types are associated with users. When not taking domain transition into account, roles do not restrict access between subjects and objects, but limit which users can exist and transition to which domains. SELinux users and roles are important when writing policies, but do not restrict access per se, and as such, are not discussed in detail in this guide.


== Targeted Policy Overview ==
== Targeted Policy Overview ==

Revision as of 23:51, 10 August 2008

Content Specification (Draft-only)

SELinux Introduction

SELinux Basics

Someone suggested having a section, that detailed if you are not going to do anything else with SELinux, then at least do these 3-4 things...

Access Control

Describe the concepts of the following, using <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html> as a guide:

  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Multi-Level Security (MLS)
  • Mutli-Category Security (MCS)
  • Type Enforcement (TE)
  • Role Based Access Control (RBAC)

SELinux rules are not checked if DAC rules deny access.

RBAC: Roles are associated with domain types, and domain types are associated with users. When not taking domain transition into account, roles do not restrict access between subjects and objects, but limit which users can exist and transition to which domains. SELinux users and roles are important when writing policies, but do not restrict access per se, and as such, are not discussed in detail in this guide.

Targeted Policy Overview

  • Confined and unconfined processes. Explain unconfined.
  • Users and roles: user_u, user_r, system_r, and so on.

When using targeted policy, domains run as the system_r role. Type enforcement then separates each domain.

SELinux Contexts and Attributes

SELinux Contexts and Attributes

Subjects and Objects

Subjects and Objects