SELinux/User-based access control

User-based access control (UBAC) is not a generic security concept by itself. However, in the SELinux context, UBAC is an addition to the type enforcement and role-based access control meant to support additional mandatory segregation that cannot be enforced otherwise.

Problem
Sometimes administrators would like to enforce restrictions on users accessing each other's files, rather than depending on regular Linux DAC permissions which can be opened up by a naive user running. As SELinux is primarily a type enforcement implementation, it does not normally lend itself to creating this sort of rule to override insecure DAC settings on files in home directories.

For instance, having read access to a user file is provided by the following SELinux rule:

Users can read home files

Sadly, this doesn't take into account that there are different users. All regular users are given the  role which ends up running processes in the same   domain, so they are all allowed to read files with the   label assigned, regardless of which user actually owns the files.

The alternative of creating a separate role and type for every single user account, so that each user is only granted access to their own specific type of home directory, is not very practical; admins should not have to update the system policy just to add a new user account.

Using the SELinux user bit
As a solution, SELinux supports more than just type enforcement. Additional constraints can be set based on the role and SELinux user part.

One of the constraints that is enabled (optionally) is the UBAC constraint, which roughly translates to "Interaction between a domain and a resource is only allowed if the SELinux user of both match, one of them is the  SELinux user or one of them does not have the   attribute set."

In our example, this means that we are able now to restrict access between users if the users are separate SELinux users. So even though two users both assigned the  SELinux user can, policy-wise, still read each others' resources (if allowed by the DAC rules of course), separate SELinux users cannot do this anymore.

And as creating SELinux users is a matter of system administration, it is possible to create separate SELinux users for every Linux user. However, know that UBAC cannot be exempted on a user-basis. Instead, exemption is done based on user domain level. For instance, the  domain has exemptions for file, file descriptor and processes.