An object is labeled in one of four ways: policy statements (for example, type transition rules), hard-coded object manager defaults, program-requested labeling, and initial SIDs.
The policy must always contain the appropriate access in addition to any relevant labeling statements for an object to be successfully labeled.
Labeling decisions often use information from the execution environment (for example, security context for the process and related object instances).
File-related labeling behavior is specified per-filesystem using the filesystem use statements or the generalized security context statement.
Extended attribute labeling is used for most native Linux filesystems and supports program-requested labeling and persistent storage of security contexts.
Labels on extended attribute labeled filesystems are managed using file context files and utilities that read those files.
Task-based and transition-based labeling are used primarily for pseudo filesystems.
Generalized security context labeling is used primarily for labeling proc and legacy filesystems.
Network interfaces are labeled by interface name (for example, eth0) using the netifcon statement.
Network nodes are labeled by IP address and netmask using the nodecon statement.
Ports are labeled by number using the portcon statement.
Successfully sending or receiving network data often requires permissions on several socket objects in addition to permission on the relevant node and netif objects.
System V IPC objects, with the exception of msg objects, receive the security context of the creating process. Msg objects are labeled based on type_transition rules or the security context of the creating process.
Processes receive the same security context as their parent. This security context can be changed through a domain or dynamic context transition.
The capability object has the same security context as the associated process.
The security and system objects receive the security context of the kernel and security initial SIDs, respectively.
Initial SIDs are used to label some objects and are a failsafe default to prevent objects from having a missing or invalid security context.
