Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system that implements access rights by applying a security label referred to as an SELinux context to each system object. SELinux policy modules use SELinux contexts to define rules for how processes, files, ports, and other system objects interact with each other. Interaction between system objects is only permitted if a policy rule allows it.
An SELinux context (the label applied to a system object) has the following fields:
security level. Type information rather than the entire SELinux context is used most commonly to define rules for how processes interact with other system objects. MySQL SELinux policy modules, for example, define policy rules using
You can view SELinux contexts using operating system commands such as ls and ps with the
-Z option. Assuming that SELinux is enabled and a MySQL Server is running, the following commands show the SELinux context for the mysqld process and MySQL data directory:
shell> ps -eZ | grep mysqld system_u:system_r:mysqld_t:s0 5924 ? 00:00:03 mysqld
MySQL data directory:
shell> cd /var/lib shell> ls -Z | grep mysql system_u:object_r:mysqld_db_t:s0 mysql
system_uis an SELinux user identity for system processes and objects.
system_ris an SELinux role used for system processes.
objects_ris an SELinux role used for system objects.
mysqld_tis the type associated with the mysqld process.
mysqld_db_tis the type associated with the MySQL data directory and its files.
s0is the security level.
For more information about interpreting SELinux contexts, refer to your distribution's SELinux documentation.