SELinux is a mandatory access control system which enables a more fine-grained access control mechanism as well as allow the security administrator to define what a user can do and can't. Unlike the standard discretionary access control in place for Linux (which means that the end user can still share files he shouldn't share, allow others to have write access to his files, etc.) a mandatory access control system is fully governed through a security policy.
With SELinux, which works alongside the standard discretionary access control system (the DAC system is first checked and only when this would allow an activity, then SELinux is queried as well), processes run inside what it calls a domain. Privileges are then assigned to a domain to define the allowed interactions with other resources (be it processes, other domains, files, sockets, capabilities, file contexts, semaphores, messages, ...).
In the Gentoo Project, SELinux is supported through the Gentoo Hardened project although it does not require the use of the hardened profiles (you can enable SELinux without using the hardened toolchain).
Gentoo Hardened SELinux Resources
The following is a list of resources available to support users and developers in their SELinux quests, and are also maintained through the developers of the SELinux subproject in Gentoo Hardened.
- Gentoo Hardened SELinux Handbook
- Gives a quick introduction to SELinux
- Contains the installation (migration) instructions
- Gives a first taste of the various SELinux administrative commands
- Gentoo Hardened and SELinux Frequently Asked Questions
- SELinux Policy Constraints
- Gentoo Hardened SELinux Tutorials
There is also some development-related documentation, in case you are interested in contributing to the SELinux support in Gentoo Hardened.
- Gentoo Hardened SELinux Development Guide
- Reporting SELinux policy bugs
- Gentoo Hardened SELinux Development Policy
- Gentoo Hardened SELinux Roadmap (might be outdated)
SELinux Policy Modules
SELinux uses a modular approach on its policies. Core permissions are contained within the "base" policy whereas additional privileges are defined in SELinux modules. You can list the currently loaded SELinux modules through semodule -l. As a policy module contains definitions (what domains are provided by the module, which resources are labeled and how are they labeled), privileges (what interactions are allowed), optional privileges (which are triggered through SELinux booleans) and more, it is sometimes warranted to have a more elaborate document on the specifics of that module.
Below you'll find a list of documented modules.
- apache is the SELinux module to support web servers like apache or lighttpd
- bind is the SELinux module to support the named domain server
- chromium is the SELinux module to support the chromium browser
- cron is the SELinux module for the various cron domains (like vixie-cron)
- ldap is the SELinux module for OpenLDAP
- portage is the SELinux module offering support for Gentoo's portage and portage-related tools (like gcc-config, eselect, ...)