SELinux is a MAC (Mandatory Access Control) system working together with the existing DAC (Discretionary Access Control) list we are familiar with, such as the file permissions list.
Tip
SELinux can only restrict permissions; it cannot add permissions. If the DAC does not allow access, SELinux cannot allow.
In order to work with labeled objects, access is granted based on these labels and controlled via policies. All objects—such as users, processes, and files—have labels. The label that you have or (more often) the process that you run must match the label supplied to the resource that you need to access. In simple terms, think of this like bathrooms; humans with the label MEN have access to the bathroom labeled MEN. In Linux terms, the Apache web server process is labeled as httpd_t
and can access files with the httpd_sys_content_t
label. In this way, your system is protected against a rogue or pwned (compromised) web server as the scope of files that has access to it is limited...