SELinux in and out

Security Enhanced Linux (SELinux) is a widely used Mandatory Access Control system which is integrated in the Linux kernel. It is an added layer of security mechanism on top of the standard Discretionary Access Control system that Unix/Linux and other major operating systems have. SELinux does not nullify DAC but in fact supports DAC and its checks are performed after DAC´s. If DAC allows an operation then SELinux checks that operation by comparing it with the set of specified rules that it has and decides based on those rules only. If DAC denies some access then SELinux checks are not performed. Because DAC allows users to have full control over files that they own, they could unwantedly set any permission on the files that they own, at their own discretion, which could prove dangerous so for this reason SELinux brings the Mandatory Access Controls (MAC) mechanism which enforces rules based on a specified policy and denies access operations if policy in use do not allow it, even if the file permissions were world-accessible using DAC In this paper we discuss various SELinux policies and provide a statistical comparison using standard Delphi method.