In this chapter, we learned how file contexts are stored as extended attributes on the file system and how we can manipulate the contexts of files and other file system resources. Next, we found out where SELinux keeps its definitions on what contexts are to be assigned to which files.
We also learned to work with the semanage
tool to manipulate this information and worked with a few tools that use this information to enforce contexts on resources.
On the process level, we got our first taste of SELinux policies, identifying when a process is launched inside a certain SELinux domain. With it, we covered the sesearch
and seinfo
applications to query the SELinux policy. Finally, we looked at some of Linux's security implementations that limit the transition scope of applications, which also influences SELinux domain transitions.
In the next chapter, we will expand our knowledge of protecting the operating system through the networking-related features of SELinux.