SELinux Context

SELinux labels all of its subjects and objects with a context. SELinux rules may be written that determine which context an object receives at creation. Additionally, rules may be written that determine which operations a user may perform on an object given the context of the subject and the context of the object. The RBAC features of SELinux determine which contexts a given subject may acquire.

The SELinux context consists of four components:

• SELinux User: assigned to a Linux user upon login; bounds the user's set of available roles; never changes during a user's session; useful for auditing.
• Role: bounds a set of possible types; determines which role transitions may occur.
• Type: used to perform access check based upon the subject type, object type, object class, and operation being performed; used to write explicit access control rules.
• MLS/MCS Level Range: level consists of a sensitivity and group of categories; used to perform MLS access control checks.

The following diagram shows the structure of a typical SELinux context and gives further information about the characteristics of each component.

SELinux Context Diagram