Role-Based Access Control (RBAC)
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the Role Based Access Control diagram. Note that GNU / Linux users are not a direct part of the RBAC feature, they are associated to SELinux users via SELinux specific commands such as:
- semanage login- That manages the association of GNU / Linux users (or groups of users) to SELinux users.
- semanage user - That manages the association of SELinux users to roles.
The Role Based Access Control diagram shows how the SELinux user and roles are associated within the basic loadable modules that form the simple message filter exercise described in Volume 2.
SELinux users can be equated to groups or classes of user, for example in the Reference Policy there is user_u for general users with staff_u and sysadm_u for more specialised users. There is also a system_u defined that must never be associated to a GNU / Linux user as it a special identity for system processes and objects.
- There are other SELinux utilities that can manage users etc., however this Notebook will only use the core utilities.