How SELinux Works
Consider these pieces of the SELinux puzzle:
When a subject (such as an application) attempts to access an object (such as a file), the SELinux Security Server (inside the kernel) runs a check against the Policy Database. Depending on the current mode, if the SELinux Security Server grants permission, the subject is given access to the object. If the SELinux Security Server denies permission, a denied message is logged in /var/log/messages.
SELinux has three modes (which can be set by the user). These modes will dictate how SELinux acts uponsubject request. The modes are:
- Enforcing — SELinux policy is enforced and subjects will be denied or granted access to objects based on the SELinux policy rules
- Permissive — SELinux policy is not enforced and does not deny access, although denials are logged
- Disabled — SELinux is completely disabled