SELinux Contexts & Process Domain Transitions

https://drive.google.com/file/d/1LuXnYYHT0TWk9OhIlA8lfiQWNmYC779o/view?usp=sharing

1. Understanding SELinux Context Components

Every SELinux context has 4 components (user:role:type:level):

Component	Purpose	Example
SELinux User	Maps Linux users to SELinux roles	`user_u`, `root`, `system_u`
Role	Defines which domains a user can enter	`object_r` (files), `system_r` (processes)
Type	Most critical—defines access permissions	`user_home_t`, `httpd_t`, `shadow_t`
Level	MLS/MCS security level (sensitivity:category)	`s0`, `s0-s15:c0.c1023`

Viewing Contexts

# File context
ls -Z file.txt

# Directory context (note -d flag)
ls -Zd /tmp

# Process context
ps -eZ

2. Deep Dive: SELinux Components

SELinux User (`semanage login -l`)

Maps Linux users → SELinux users
Controls which roles a user can assume

# View user mappings
semanage login -l

# Example output:
# __default__               user_u
# root                      root
# zybi                      user_u

💡 Key Insight:

unconfined_u = Can access almost anything (like traditional Linux)

user_u = Restricted user (common for regular accounts)

SELinux Role

Files: Always object_r (no role-based access for files)
Processes: system_r (system processes), user_r (user processes)
Role-Based Access Control (RBAC):
- User → Role → Domain → Process
- Prevents privilege escalation even if process is compromised

🔍 Example:

Web server runs in httpd_t domain → Can only access httpd_sys_content_t files

Even if hacked, can't read /etc/shadow (shadow_t type)

1. Understanding SELinux Context Components

Viewing Contexts

2. Deep Dive: SELinux Components

SELinux User (semanage login -l)

SELinux Role

SELinux User (`semanage login -l`)