Let’s switch our view of the SELinux policy from wide-angle to close-up and examine a simple component of an SELinux policy, to better understand how an SELinux policy operates. Recall that the SELinux type enforcement mechanism is based on domains. At any given time, a running process is associated with a domain that determines its permissions. The SELinux policy statements that establish a domain are generally grouped as two files:
The file context (FC)
file, which has the filename extension
.fc, resides in the
file_contexts/program subdirectory of the policy
source directory. The file specifies the security contexts of
directories and files associated with the domain.
The type enforcement (TE)
file, which has the filename
.te, resides in the
domains/program subdirectory of the policy
source directory. The file specifies the access vector rules and
transitions associated with the domain.
An SELinux policy contains many files other than FC and TE files. However, most of the work you do with an SELinux policy will involve the FC and TE files. Because FC and TE files are central to SELinux, understanding the function of these files takes you a long way toward understanding SELinux policies. So in this section, we’ll overview the FC and TE files. The following chapters will explain more fully the FC and TE files as well as the other files that comprise an SELinux policy.
The FC and TE files that establish a domain generally ...