- Apache is supposed to read these directories and connect to these ports.
- USER-X Should not be allowed to execute files in his home directory.
- The database should only be access through its unix domain socket.
What is a process supposed to do?
Allow the process to do this and nothing else.
In the case of a logged in user, you group all the processes together under a single type (guest_t). And then you end up with all processes running as guest_t. None of them can execute in the home directory, None can connect to the network, none can execute the setuid system call to become root.
Often I give talks on SELinux and we get too deep into the internals of SELinux, I believe we need to bring it down to these simpler terms.
The beauty of this system is that it works for everyone from the highest levels of security in DOD environments down to the kiosk machine at your local library.
Are non government entities starting to use SELinux? You betch ya.
New York Stock Exchange