This section will serve as an overview of Security Enhanced Linux (SELinux). In the Working with file permissions section, we discussed how standard Linux provides protection for the system. This method is called Discretionary Access Control (DAC), and has some limitations. For example, a typical user could open his files up, either accidentally or on purpose, for any other user to read or write. This could allow unauthorized access to sensitive information. To provide more security, SELinux uses MAC (Mandatory Access Control). MAC uses a security policy that covers all processes and files in the system. All files in SELinux have labels that contain security-relevant information.
For example, the following is a normal listing of a file under DAC:
ls -la ifcfg-eth0 -rw-r--r--. 1 root root 73 Apr 22 2011 ifcfg-eth0
Same file, but with the Z (security context) option to ls
:
ls -Z ifcfg-eth0 -rw-r--r--. root root unconfined_u:object_r:default_t:s0ifcfg-eth0...