Difference between revisions of "NB RBAC"

From SELinux Wiki
Jump to: navigation, search
(Role-Based Access Control (RBAC))
 
Line 1: Line 1:
 
= Role-Based Access Control (RBAC) =
 
= Role-Based Access Control (RBAC) =
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the [http://taiga.selinuxproject.org/~rhaines/NB4-diagrams/4-RBAC.png Role Based Access Control] diagram.  
+
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the [http://selinuxproject.org/~rhaines/NB4-diagrams/4-RBAC.png Role Based Access Control] diagram.  
  
 
The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '<tt>_r</tt>', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as <tt>unconfined.role</tt>.
 
The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '<tt>_r</tt>', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as <tt>unconfined.role</tt>.

Latest revision as of 13:04, 25 September 2015

Role-Based Access Control (RBAC)

To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the Role Based Access Control diagram.

The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '_r', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as unconfined.role.

It is possible to add constraints and bounds on roles as discussed in the Type Enforcement section.


Previous
Home
Next