SELinux/Type enforcement

Type enforcement is the notion that, in a mandatory access control system, access is governed through clearance based on a subject-access-object set of rules.

Introduction
Access control has always played a role in computing systems, and even before that. Many people understand a negative access control model ("You are not allowed to go inside that room") because it is what they, as subjects, learn when trying to do something not allowed by the access controls (i.e. trying to go inside a room). However, the positive rules (what they are allowed to do) are well known, explicitly or intuitively.

In a subject-access-object rule set, enforcement is documented line by line. Each rule stands by itself; if something is explicitly allowed in a rule, then it is allowed (regardless of other rules). If something is not explicitly allowed, then it is denied (deny by default).

Such rules can be read as "Subject foo is allowed to do access on object."

Subjects
In security parlance, subjects are actively performing an action. On a Linux system, subjects are processes (as it is a process that is executing the code of an application) and, through processes, users (as every action taken by a user is something interpreted and handled by a process, be it the user shell or the graphical environment).

In security architecturing, subjects are also often mentioned as actors.

Access
An access is what is allowed (or denied). An access is an activity, such as "entering" (in our example of entering a room) or "reading" (on files). It is also often documented as a permission.

By itself, an access doesn't mean much. The action/permissions "read", "open", "append", etc. mean nothing without subjects and objects. Instead, the set of supported actions in a type enforcement access control shows the granularity and ability of the access control.

Object
The object is the resource on which an action applies. Objects do not actively perform anything - type enforcement is a one-way definition. A process might be allowed to signal an other process - or it might not. There is no "signal another process if that other process is reading a file" or "kill a process that is writing a core file".

Type enforcement in SELinux
In SELinux, type enforcement is implemented based on the labels of the subjects and objects. SELinux by itself does not have rules that say " can execute ". Instead, it has rules similar to "Processes with the label  can execute regular files labeled  ."