SELinux is designed as "mandatory access control," meaning that it is not normal... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		chasil on Jan 19, 2022 \| parent \| context \| favorite \| on: Systemd service sandboxing and security hardening ... SELinux is designed as "mandatory access control," meaning that it is not normally disabled. The normal filesystem permissions of read/write/execute for user/group/other are among those known as "discretionary access controls," meaning that they can be relaxed. The systemd unit security options are discretionary, at the control of the administrator.

t0astbread on Jan 19, 2022 [–]

Is SELinux not also in the administrator's control?

chasil on Jan 20, 2022 | [–]

An administrator can disable it complete with "setenforce 0" and restore it with "setenforce 1" if necessary.

The rules can also be adjusted, and there are a number of tunable parameters.

The intent is that it is never disabled.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact