1# OpenHarmony SELinux Overview 2 3## Introduction 4 5OpenHarmony Security-Enhanced Linux (SELinux) provides mandatory access control (MAC) capabilities for system resources, such as files, parameters, system abilities (SAs), and Hardware Driver Foundation (HDF) services, based on the system architecture characteristics and SELinux. This topic describes how to develop the OpenHarmony SELinux features based on the SELinux access control model. 6 7OpenHarmony SELinux provides the following functionalities: 8 9- Access control for parameters, SAs, and HDF services. 10- Setting of application labels. 11- Security policy compiling and loading. 12- Security context compiling and loading. 13- Policy validity check during compilation. 14 15## Basic Concepts 16 17- Security context 18 19 Security contexts are also referred to as SELinux labels. An OpenHarmony SELinux context is in the **user:role:type:sensitivity[:category,...]- sensitivity [:category,...]** format, where: 20 - **user**: user type. For example, **user u roles { r }** indicates the user **u** who is authorized for role **r**. 21 - **role**: role identifier, which defines the types that can be accessed by a process. It is **object_r** for the user type of resources such as files, parameters, SA services, and HDF services, and **r** for the user type of processes. 22 - **type**: SELinux type. In SELinux rule statements, **type** specifies the rule. 23 - **sensitivity**: multi-level security (MLS) level. Different security levels are isolated. Currently, OpenHarmony SELinux supports only the security level **s0**. 24 - **category**: category of a specific sensitivity. Currently, OpenHarmony SELinux has defined categories **c0** to **c1023**, which are not distinguished for SELinux policies. 25 26- Subject 27 28 A subject is an active entity that makes a request to access a resource (object). It can be a user, a process, a service, or an SELinux type. In OpenHarmony SELinux, process subjects are classified into native process, application process, SA process, and HDF process. 29 30- Object 31 32 An object is the resource to access. It can be a file, directory, parameter, SA, or HDF service. 33 34- SID 35 36 Security ID (SID or sid) is a unique identifier of a process, a file, or an SELinux object. 37 38- AVC 39 40 Access Vector Cache (AVC) is used to trace and cache information about access control decisions to improve system performance and security. 41 42- TE 43 44 An SELinux policy consists of multiple type enforcement (TE) rules. 45 46- Running mode 47 48 OpenHarmony SELinux can run in either of the following modes: 49 + Enforcing mode: Permission denials are both enforced and logged with an AVC alarm. 50 + Permissive mode: Permission denials are logged with an AVC alarm but not enforced. 51 52## Working Principles 53 54OpenHarmony SELinux uses the security contexts of the subject and object to determine whether the subject can access the object and intercepts unauthorized behavior in kernel mode. 55 56**Figure 1** OpenHarmony SELinux architecture 57 58 59