SELinux
Introduction
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).
This article will introduce some selinux internals as well as some useful examples.
SELinux Related Concepts
- Subjects
- programs
- Objects
- files that accessed by programs
- Policy
- access control
- targeted - Targeted processes are protected.
- minimum - Modification of targeted policy. Only selected processes are protected.
- mls - Multi Level Security protection.
- Mode
- Enforcing or Permissive or Disabled. Use
setenforce
to change mode andsetenforce
to verify it.
- enforcing - SELinux security policy is enforced.
- permissive - SELinux prints warnings instead of enforcing.
- disabled - No SELinux policy is loaded.
View SELinux Status:
sestatus -v
SELinux Map
unix users(root,toor)
|
| 1:1
v
SELinux Identities(unconfined_u, user_u)
|
| 1:N
v
SELinux Roles(unconfined_r, sysadm_r, user_r)
|
| 1:1
v
SELinux Domains(sysadm_t, user_t)
Process
user login
|
| assign default security context
v
user
|
| inherited by
v
process1, process2 ...
Policy
operations
|
| check against policy
v
authorized|forbidden
Standard policies
- targeted
- strict
Security Context
- user identity
- role
- domain
Rights is associated with domains. domains is also a type.
dedicated domain:
sshd: sshd_exec_t -> sshd_t
- DAC
- Descretionary Access Control
- MAC
- Mandatory Access Control
- MCS
- Multi Category Security
- LSM
- Linux Security Module