What are the three policy types of SELinux?

There are 3 policy types of SELinux: 1. Target policy, which mainly controls access to the service process process in the system, and can also restrict other processes and users. 2. MLS policy will control all processes in the system. 3. Minimum policy, originally created for low-memory computers or devices (such as smartphones), allows SELinux to run without consuming too many resources.

#The operating environment of this tutorial: linux7.3 system, Dell G3 computer.

For SELinux, the selected policy type directly determines which policy rules are used to execute the targets (file or directory resources) that the subject (process) can access. Not only that, the policy type also determines which specific security context attributes are required. Policy types provide a more precise understanding of the access control implemented by SELinux.

SELinux provides 3 different strategies to choose from, namely Targeted, MLS and MiNimum. Each policy implements access control that meets different needs, so in order to correctly select a policy that meets specific security needs, you must first understand these policy types.

Target policy

Target policy mainly controls access to the service process in the system. At the same time, it can also restrict other processes. and users. Service processes are placed in a sandbox, an environment where service processes are strictly restricted so that malicious attacks through such processes do not affect other services or the Linux system.

A sandbox is an environment in which processes can run, but access to other processes or resources is strictly controlled. In other words, each process located in the sandbox only runs in its own domain (the area where the process runs is called the "domain"), and they cannot access other processes or resources (unless they are granted special permissions).

Using this policy, you can share print servers, file servers, Web servers, or other services more securely while reducing the risk that access to these services will adversely affect other resources in the system.

MLS policy

MLS is the abbreviation of Multi-Level Security. This policy controls all processes in the system. . After enabling MLS, users will get errors even when executing the simplest commands (such as ls).

Minimum policy

The Minimum policy means "minimum restriction". This policy was originally targeted at low-memory computers or devices ( such as smartphones).

Essentially, Minimun is similar to Target, except that it only uses the basic policy rule package. For low-memory devices, the Minumun policy allows SELinux to run without consuming too many resources.

Note that the policy rules available in the Linux distribution you are using may not be exactly the same as those listed above. For example, in earlier Linux distributions, the strict policy can still be used, but in newer distributions, the strict policy is merged into the Targeted policy, which is also the default policy rule.

So, how do we query which SELinux strategy is used in the current system? This needs to be viewed using the sestatus command. The command is as follows:

[root@localhost ~]# sestatus
SELinux status： enabled
#SELinux启用
SELinuxfs mount： /selinux
#SELinux数据的挂载位置
Current mode： enforcing
#运行模式是强制模式
Mode from config file： enforcing
#配置文件所指定的模式也是强制模式
Policy version： 24
#策略版本
Policy from config file： targeted
#目前策略是针对性保护策略

Related recommendations: "Linux Video Tutorial"

The above is the detailed content of What are the three policy types of SELinux?. For more information, please follow other related articles on the PHP Chinese website!