LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does SELinux differ from the standard Linux security model?

Standard rwx permissions are Discretionary Access Control (DAC) — owners decide, and root overrides everything. SELinux adds Mandatory Access Control (MAC), where a central policy decides, no owner can loosen it, and even root processes are confined.

DAC: owner decides, root overrides. MAC (SELinux): central policy decides, no owner can loosen it, even root is confined; both must allow.

* DAC (owner discretion + root override) vs MAC (policy decides, confines even root). *

The words explain the difference. Discretionary: access is at the owner's discretion — you can chmod 777 your own file, and a process running as root sails past every check. Mandatory: access is dictated by system policy that users can't relax; a process is boxed into its label no matter who owns the file or how permissive the rwx bits are. That's why MAC contains breaches DAC can't: under DAC a compromised Apache inherits the Apache user's full reach (its files, /tmp, every world-writable file). Under SELinux, httpd_t may touch only what policy allows (e.g. httpd_sys_content_t), so the blast radius stops at Apache's own files — "a weakness in one part of the system cannot spread to the rest." Both layers apply: an action must pass DAC and MAC.

Example - Web server vulnerability:

Without SELinux:

  • Attacker compromises Apache process
  • Gets Apache user/group permissions
  • Can access /var/www/html, /tmp, /var/tmp, and all world-writable files

With SELinux:

  • Security rules define which process can access which files, directories, and ports
  • All resources have SELinux context labels
  • Default deny - no access without explicit rule
  • Compromised process is confined to its policy

Key principle: A weakness in one part of the system cannot spread to other parts.

Go deeper:

From Quiz: LIOS / SELinux Security | Updated: Jul 05, 2026