SELinux

Security-Enhanced Linux® (SELinux) is a Linux kernel-based security system that defines and enforces the access rights of every user, application, process, and file within a Red Hat® system. SELinux also defines and enforces the rights to transition from one set of privileges to another.

Access rights are defined by policies that are implemented by thorough rules that govern specific types of access to specific types of resources. Although each rule is simple, their relatively low level means that there may be many rules. Further, complex systems will likely require complex rulesets for accurate coverage.

For SELinux, labeling is everything. All processes and resources are labeled with a type that represents its security context, and access is only granted if a rule accepts a match between the accessor type and the accessee type. This is the core principle behind the operation of SELinux.