On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@xxxxxxxxx> wrote: > There are 3 security models in which SELinux can work -- TE, RBAC and MLS. > > And there are 6 types of SELinux policies -- > > targeted, mls, mcs, standard, strict or minimum. > > Each security model requires it's own set of policies and the policies can > be 1 of the 6 types. So can all the 3 security modles and 6 types be > intermixed? Won't there be conflicts like with MLS and RBAC? The SELINUXTYPE value should be seen as the name given to a policy store. The contents (the actual policy, the features it supports, the fact that it is MLS-enabled or not) have nothing to do with the name of the store per se. It is just a matter of convenience that policy stores are named in a particular way so that, cross-distributions, security administrators can deduce the type and features of the policy based on the name. For instance, on RHEL6, "targeted" is the name given to the policy store that contains an MCS policy with support for unconfined domains. On Gentoo, this name is rather used for non-MCS policy with support for unconfined domains. Afaik, there is no conflict between RBAC and MLS. With MLS, the SELinux subsystem allows or denies access based on the dominance rules between the domains' security clearance and the resource sensitivity level. RBAC instead allows or denies a SELinux role to be associated with a particular domain. Wkr, Sven Vermeulen _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
