This chapter describes SELinux and provides guidance on administering SELinux in Oracle Linux.

Traditional Linux security is based on a Discretionary Access Control (DAC) policy. In the DAC model of system security, access to resources such as files and processes is based solely on user identity and ownership. If malware or broken software is present on the system, it can do anything with files and resources that the user that started the process has permission to do. If the user is root or the application is running with elevated privileges (setuid or setgid to root), the process has root-access control over the entire file system.

To address this problem, the National Security Agency created Security Enhanced Linux (SELinux) to provide a greater level of control over files, processes, users, and applications in the Linux OS. The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which lets you define a security policy that configures granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on how sensitive the resources are from a security perspective, and not solely on the authenticated user identity.

When security-relevant access occurs, such as when a process opens a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues. Otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it doesn't check SELinux policy rules if DAC rules have already denied access to a resource.