What are the default functions of SELinux incorporated into RH/Fedora?

There are three basic 3 functions. They are:

a. MLS/MCS – It provides the Multi Level Protection
b. RBAC- User Privilege Controls
c. TE – Application Isolation

All the three are default functions.

If you mean which security models are used by default in Fedora:

1. (IBAC) Identity-Based Access Control: Allows you to associate Linux UIDS/GIDS to SELinux identities (this is a default security model meaning its always there)

2. (RBAC) Role-Based Access Control: Allows you to give users access to sets of permissions (this is a default security model meaning its always there)

3. (TE) Type-Enforcement: Allows you to enforce integrity by specifying how processes with specified type identifiers can interact with or operate on other processes, and system resources with specified types respectively (this is a default security model meaning its always there)

4. (MCS) Multi-Category Security: Allows you to additionally compartiment/isolate different processes with the same type identifier, and/or
different type identifiers. (this is a optional security model meaning that you have to enable it: Fedora has it enabled )

Other security models that are not enabled by default in Fedora's targeted policy:

1. (UBAC) User-Based Access Control: Allows you to additionally compartiment/isolate processes using a SELinux identity identifier (this is a optional security model meaning that you have to enable it: Fedora has it disabled)

2. (MLS) Multi-Level Security: Allows you to additionally enforce confidentiality by assigning sensitivities to processes and system resources. Processes with lower sensitivities can not read up, and processes with higher sensitivities cannot write down. MLS security model also allows you to compartiment/isolate different processes with same type identifiers , and/or different type identifiers, like MCS security model (this is a optional security model meaning that you have to enable it: Fedora has a separate policy model called MLS that has IBAC,RBAC,TE, and MLS enabled)

The MCS and MLS security models are mutually exclusive.

Thank you Dom for the detailed answer

dom wrote:If you mean which security models are used by default in Fedora:

1. (IBAC) Identity-Based Access Control: Allows you to associate Linux UIDS/GIDS to SELinux identities (this is a default security model meaning its always there)

2. (RBAC) Role-Based Access Control: Allows you to give users access to sets of permissions (this is a default security model meaning its always there)

3. (TE) Type-Enforcement: Allows you to enforce integrity by specifying how processes with specified type identifiers can interact with or operate on other processes, and system resources with specified types respectively (this is a default security model meaning its always there)

4. (MCS) Multi-Category Security: Allows you to additionally compartiment/isolate different processes with the same type identifier, and/or
different type identifiers. (this is a optional security model meaning that you have to enable it: Fedora has it enabled )

Other security models that are not enabled by default in Fedora's targeted policy:

1. (UBAC) User-Based Access Control: Allows you to additionally compartiment/isolate processes using a SELinux identity identifier (this is a optional security model meaning that you have to enable it: Fedora has it disabled)

2. (MLS) Multi-Level Security: Allows you to additionally enforce confidentiality by assigning sensitivities to processes and system resources. Processes with lower sensitivities can not read up, and processes with higher sensitivities cannot write down. MLS security model also allows you to compartiment/isolate different processes with same type identifiers , and/or different type identifiers, like MCS security model (this is a optional security model meaning that you have to enable it: Fedora has a separate policy model called MLS that has IBAC,RBAC,TE, and MLS enabled)

The MCS and MLS security models are mutually exclusive.

(MLS) Multi-Level Security: Allows you to additionally enforce confidentiality by assigning sensitivities to processes and system resources. Processes with lower sensitivities can not read up, and processes with higher sensitivities cannot write down. MLS security model also allows you to compartiment/isolate different processes with same type identifiers , and/or different type identifiers, like MCS security model (this is a optional security model meaning that you have to enable it: Fedora has a separate policy model called MLS that has IBAC,RBAC,TE, and MLS enabled)