ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm reading about SELinux on Android, and I don't understand what are the benefits of using it?
You cannot define too many rules in policy, since it's slowing the system down. I thought normal DAC (permissions) provides every thing needed.
SELinux provides mandatory permissions (MAC). DAC permissions can be changed by the file owner... MAC can't be bypassed by the user. This protects files by enforcing defined partitions between data, applications, processes.
SELinux is an *extension* to traditional Linux Access Control. Traditional Linux Access Control has two defining properties: 1. It is "identity-based" access control. 2. It is "de-centralized" access control (AKA discretionary access control)
SELinux aims to address challenges of "traditional identity-based DAC". DAC is coarse grained in that you generally have several process and files all associated with a single identity. DAC allows individual processes to govern security attributes of entities associated with it's identity.
SELinux defines itself as follows: Flexible and customizable access control framework that allows for fine grained mandatory (centralized) access control.
SEAndroid takes advantage of SELinux in several ways. A few ways that come to mind are: 1. ioctl whitelisting/blacklisting. 2. restricting the loading of kernel modules. Only kernel modules from trusted (encrypted) partitions can be loaded.
SELinux enables one to address the widest range of access control challenges.
Last edited by dac.override; 10-18-2016 at 05:37 AM.
That's like building a car from 18 gauge steel. It may never get dented, but it'll be heavy!
The art is to achieve your goals in a efficient yet effective way. It is a myth that SELinux is "heavy". Whether SELinux implementations are "heavy" or not depends on the requirements.
The framework gives you the canvas, a wide variety of paint and brushes (most of it is implemented in Linux as a Linux Security Module). Whether you use it to create some complex or some really simple piece is up to you, and it depends on your requirements.
I think it speaks volumes that Android decided to use SELinux on their devices.
I think that it is also worth noting that, today, there are other technologies ... (very specifically, "AppArmor") that might, today, be more to your liking.
These alternative technologies use the same operating-system "plumbing" that drives SELinux, but with a different and more-targeted approach, e.g. "I really [just] want to constrain Apache ..."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.