SELinux/User-based access control

User-based access control (UBAC) is not a generic security concept by itself. However, in the SELinux context, UBAC is an addition to the type enforcement and role-based access control meant to support additional mandatory segregation that cannot be enforced otherwise.

Problem
As SELinux is primarily a type enforcement implementation, access controls on user basis fall back to the regular Linux DAC permissions.

For instance, having read access to a user file is provided by the following SELinux rule:

Users can read home files

Sadly, this doesn't take into account that there are different users. Regular users run in the  domain so are allowed to read files with the   label assigned, which is done regardless of the end user.

This is an issue as the idea in mandatory access control is that it wouldn't be possible to override access rights set in the MAC system. Although the above perfectly fits this - the MAC actually allows something administrators might not want.

Using the SELinux user bit
As a solution, SELinux supports more than just type enforcement. Additional constraints can be set based on the role and SELinux user part.

One of the constraints that is enabled (optionally) is the UBAC constraint, which roughly translates to "Interaction between a domain and a resource is only allowed if the SELinux user of both match, one of them is the  SELinux user or one of them does not have the   attribute set."

In our example, this means that we are able now to restrict access between users if the users are separate SELinux users. So even though two users both assigned the  SELinux user can, policy-wise, still read each others' resources (if allowed by the DAC rules of course), separate SELinux users cannot do this anymore.

And as creating SELinux users is a matter of system administration, it is possible to create separate SELinux users for every Linux user. However, know that UBAC cannot be exempted on a user-basis. Instead, exemption is done based on user domain level. For instance, the  domain has exemptions for file, file descriptor and processes.