Object classes and permissions are the basis for access control in SELinux, both as part of the policy language and for the access enforcement mechanism in the kernel.
Object classes represent system resources such as files, process, directories, and sockets. There is a corresponding object class for every kind of system resource.
Permissions represent access to system resources. Each object class has a defined set of permissions called an access vector.
Object classes are declared using the class declaration statement (class).
Permissions are associated with object classes using the access vector statement (also class).
Two types of permissions are defined in SELinux: common permissions and class-specific permissions.
Common permissions are a set of permissions shared by more than one object class. They are associated with the object classes as a group using the access vector statement.
SELinux provides object classes and permissions to accurately and comprehensively cover all system resources. In FC4, this results in more than 40 object classes, reflecting the richness and complexity of Linux.
Understanding all the object classes and permissions requires a detailed understanding of both SELinux and Linux.
Allowing access to accomplish many tasks in Linux requires multiple permissions on one or more object classes.
Appendix C has a complete reference of all object classes and permissions.
