Anatomy of a Simple SELinux Policy Domain

Let’s switch our view of the SELinux policy from wide-angle to close-up and examine a simple component of an SELinux policy, to better understand how an SELinux policy operates. Recall that the SELinux type enforcement mechanism is based on domains. At any given time, a running process is associated with a domain that determines its permissions. The SELinux policy statements that establish a domain are generally grouped as two files:

FC file

The file context (FC) file, which has the filename extension .fc, resides in the file_contexts/program subdirectory of the policy source directory. The file specifies the security contexts of directories and files associated with the domain.

TE file

The type enforcement (TE) file, which has the filename extension .te, resides in the domains/program subdirectory of the policy source directory. The file specifies the access vector rules and transitions associated with the domain.

An SELinux policy contains many files other than FC and TE files. However, most of the work you do with an SELinux policy will involve the FC and TE files. Because FC and TE files are central to SELinux, understanding the function of these files takes you a long way toward understanding SELinux policies. So in this section, we’ll overview the FC and TE files. The following chapters will explain more fully the FC and TE files as well as the other files that comprise an SELinux policy.

The FC and TE files that establish a domain generally ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.