黄富强

在SELinux中，所有访问必须要明确同意，不管系统中用户、组是什么ID，默认情况下都无访问权，这意味着SELinux系统中没有默认的超级用户，不象标准的LINUX系统中的根用户，同意访问的方法是通过设置规则，这个访问规则是在主体类型和客体类型之间用一个允许规则实现访问控制。
An allow rule has four elements:

• Source type(s) Usually the domain type of a process attempting access
  
• Target type(s) The type of an object being accessed by the process
  
• Object class(es) The class of object that the specified access is permitted
  
• Permission(s) The kind of access that the source type is allowed to the target type for the indicated object classes
  allow user_t bin_t : file {read execute getattr};
  
  
  Note
  There is no significance to the _t in the type identifier name. This is just a naming convention used in most SELinux policies; a policy writer can define a type identifier using any convenient convention allowed by the policy language syntax.
  
  
  
  

附件: