On a system without Security-Enhanced Linux (SELinux) enabled,
discretionary access control (DAC) is used for file security. Basic file
permissions are used to grant file access to users. Users and programs alike
are allowed to grant insecure file permissions to others. For users, there is
no way for an administrator to prevent a user from granting world-readable and
world writable permissions to his files. For programs, the file operations are
performed as the owner of the process, which can be the root user, giving the
program access to any file on the system.
SELinux is a mandatory access control (MAC) mechanism, implemented in
the kernel. Programs protected by SELinux are only allowed access to parts of
the filesystem they require to function properly, meaning that if a program intentionally
or unintentionally tries to access or modify a file not necessary for it to function
or a file not in a directory controlled by the program, file access is denied
and the action is logged. The ability to protect files with SELinux is
implemented in the kernel. Exactly what files and directories are protected and
to what extent they are protected is defined by the SELinux policy. This section
gives instructions on how to enable the SELinux protection mechanism, describes
the SELinux policies available in Red Hat Enterprise Linux, tells you how to
read the SELinux permissions of a file, shows how the SELinux Troubleshooting
Tool alerts you of SELinux errors, and steps you through how to change the security
context of files.
