User:SwifT/selinux-tutorials/1

Overview

 * SELinux/Tutorials/The_security_context_of_a_process
 * a process is assigned a security context which, just like with the user under which the process runs, helps Linux in identifying what the application should and shouldn't be allowed to do, and
 * that a security context cannot change at the discretion of the process, but is instead governed by the SELinux policy itself
 * SELinux/Tutorials/How_SELinux_controls_file_and_directory_accesses
 * SELinux uses contexts for processes (domains) and contexts for files (types) as part of its internal language for allowing access
 * SELinux uses the allow : { }; syntax for this access
 * SELinux stores the security context (or SELinux context) of a file or directory as an extended attribute of this file
 * SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
 * denials are logged in the avc.log (no audit daemon running) or audit.log (audit daemon running) log files
 * denials might be obscured through dontaudit statements, which you can disable using semodule -DB and re-enable through semodule -B
 * the denial logging gives you great detail about who (process information, including security context) is trying to do what (permission) against something (target information, including security context)
 * SELinux/Tutorials/Controlling_file_contexts_yourself
 * the context of a file is one of the most important parts of a SELinux secured system,
 * that wrong contexts are the most common source of SELinux-related denials and permission problems,
 * that contexts are defined by mapping types with regular expressions through semanage fcontext, and
 * that contexts are then best applied through restorecon
 * SELinux/Tutorials/How_does_a_process_get_into_a_certain_context
 * SELinux by default inherits contexts, be it from processes (on fork) or parent files/directories
 * Contexts of processes can change on execute of a command from that process' context, but only under the conditions that
 * the target file context is executable for the source domain
 * the target file context is marked as an entrypoint for the target domain
 * the source domain is allowed to transition to the target domain