Anatomy of a Simple SELinux Policy Domain
Let’s switch our view of the SELinux policy from wide-angle to close-up and examine a simple component of an SELinux policy, to better understand how an SELinux policy operates. Recall that the SELinux type enforcement mechanism is based on domains. At any given time, a running process is associated with a domain that determines its permissions. The SELinux policy statements that establish a domain are generally grouped as two files:
- FC file
The file context (FC) file, which has the filename extension
.fc, resides in the
file_contexts/programsubdirectory of the policy source directory. The file specifies the security contexts of directories and files associated with the domain.
- TE file
The type enforcement (TE) file, which has the filename extension
.te, resides in the
domains/programsubdirectory of the policy source directory. The file specifies the access vector rules and transitions associated with the domain.
An SELinux policy contains many files other than FC and TE files. However, most of the work you do with an SELinux policy will involve the FC and TE files. Because FC and TE files are central to SELinux, understanding the function of these files takes you a long way toward understanding SELinux policies. So in this section, we’ll overview the FC and TE files. The following chapters will explain more fully the FC and TE files as well as the other files that comprise an SELinux policy.
The FC and TE files that establish a domain generally ...