Once SELinux is configured it can be in three modes:
- Disabled: SELinux is not policing access
- Permissive: SELinux allows all access but logs access violations
- Enforcing: SELinux is actively policing access
The mode can be set either in the kernel command-line, in the SELinux configuration file, or with the getenforce/setenforce command-line tools.
The Linux kernel command-line accepts the following SELinux-related parameters:
- selinux=0 or selinux=1: This disables or enables SELinux respectively
- enforcing=0 or enforcing=1: This boots into permissive mode (the kernel's default) or into enforcing mode
The root filesystem contains a configuration file in /etc/selinux/config with a SELINUX variable that controls the security mode:
- SELINUX=disabled
- SELINUX=permissive
- SELINUX=enforcing
When enforcing, SELinux allows no access by default, and rules must be created and loaded to allow specific actions. A set of rules is called an SELinux policy. SELinux policies are usually formed of thousands of rules, and writing them is challenging.
Every object contains a security context stored in the inodes extended attribute fields, formed by:
- A user associated with a subject or object (root, user_u, or system_u).
- A role that defines a set of permissions granted to a user (object_r or system_r).
- A domain (for processes) or types (for objects) is a combination of subjects and objects that may interact with each other. They use the _t suffix.
On an SELinux-enabled system ls -Z lists the contexts as <user>:<role>:<type>, for example:
-rw-r--r-- root root root:object_r:user_home_t file.txt
Allow rules have four elements:
- source-type
- target-type
- object-class
- permissions
For example, a process with domain type user_t is able to read, execute, and stat (getattr) a file object of type bin_t with the following rule:
allow user_t bin_t : file {read execute getattr};
These policy files need to be compiled from source into a binary module format (using the checkmodule tool) and are loaded at boot time into the kernel early in the boot process from /etc/selinux. The first SELinux boot is a deployment boot that relabels the entire root filesystem according to the policy and then reboots itself. Policies can be managed with the semodule command-line tool.