4.1 Purpose of the existence of object class in SELinux

object classes and their associated permissions are the basis for access control in SELinux. Object classes represent categories of resources such as files and sockets, and permissions represent access to these resources, such as read and send. Understanding object classes and permissions is a difficult aspect of SELinux, because he continues to have knowledge of Linux and requires selinux knowledge.

An object class represents all resources (such as files or sockets) of a certain type. An instance of an object class (for example, a particular file or socket) is simply called an object. Usually the term object class and object can be used interchangeably, but it is very important to understand the difference between them. The object class refers to the entire resource category (file), which refers to a particular instance (/ETC/PASSWD) in the class of object.

As we discussed in Chapter two, "Concepts," describes the access to an object in a policy by the permission of the object class with the specified type. To illustrate, let's consider the following rules.

Allow user_t Bin_t:file{read execute getattr};

In this rule, a process of type user_t (that is, a resource or a principal) is allowed to read, execute, and get its property operations on all object-class entities that have the target type bin_t. The object class file specifies the category of the resource, bin_t the entity that specifies which resource class to apply that rule (that is, the file entity of these types is bin_t). He does not apply those that have bin_t types but not file classes and are not applied to file entities but do not have bin_t types to be their type.

The permissions in this rule, read, execute, and get properties define the allowed entities that have the user_t type to access these objects. Each of these valid permissions on the file object class represents some way to access the object. (for example, the Read permission needs to use Open (2) system calls for opening files for reading, etc.). These sets of permissions defined for the object class (also known as access vectors) represent many possible accesses, which can be allowed for access to resources represented by those object classes.
?
The collection of object classes relies on SELinux versions and Linux collections. Over time, new and different object classes have developed new and changed kernel features. For example, the newer version of the Linux kernel has introduced a new netlink-specific socket for the control audit framework. For these kernels that support netlink-specific, a SELinux object class with the appropriate permissions is defined.

Copyright NOTICE: Hello, reprint please leave my blog address, thank you

4.1 Purpose of the existence of object class in SELinux