Chapter 44. Security and SELinux

Chapter 44. Security and SELinux

44.1. Access Control Mechanisms (ACMs)
44.1.1. Discretionary Access Control (DAC)
44.1.2. Access Control Lists (ACLs)
44.1.3. Mandatory Access Control (MAC)
44.1.4. Role-based Access Control (RBAC)
44.1.5. Multi-Level Security (MLS)
44.1.6. Multi-Category Security (MCS)
44.2. Introduction to SELinux
44.2.1. SELinux Overview
44.2.2. Files Related to SELinux
44.2.3. Additional Resources
44.3. Brief Background and History of SELinux
44.4. Multi-Category Security (MCS)
44.4.1. Introduction
44.4.2. Applications for Multi-Category Security
44.4.3. SELinux Security Contexts
44.5. Getting Started with Multi-Category Security (MCS)
44.5.1. Introduction
44.5.2. Comparing SELinux and Standard Linux User Identities
44.5.3. Configuring Categories
44.5.4. Assigning Categories to Users
44.5.5. Assigning Categories to Files
44.6. Multi-Level Security (MLS)
44.6.1. Why Multi-Level?
44.6.2. Security Levels, Objects and Subjects
44.6.3. MLS Policy
44.6.4. LSPP Certification
44.7. SELinux Policy Overview
44.7.1. What is the SELinux Policy?
44.7.2. Where is the Policy?
44.7.3. The Role of Policy in the Boot Process
44.7.4. Object Classes and Permissions
44.8. Targeted Policy Overview
44.8.1. What is the Targeted Policy?
44.8.2. Files and Directories of the Targeted Policy
44.8.3. Understanding the Users and Roles in the Targeted Policy

[19] The NSA is the cryptologic agency of the United States of America's Federal government, charged with information assurance and signals intelligence. You can read more about the NSA at their website,

[20] Flask grew out of a project that integrated the Distributed Trusted Operating System (DTOS ) into the Fluke research operating system. Flask was the name of the architecture and the implementation in the Fluke operating system.

[21] Any role could have been chosen for the targeted policy, but system_r already had existing authorization for the daemon domains, simplifying the process. This was done because no mechanism currently exists to alias roles.

[22] A user aliasing mechanism would also work here, to alias all identities from the strict policy to a single user identity in the targeted policy.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.