Linux security-access control mechanism (ACM)

1. Access Control Mechanism (ACM)

ACM: access control mechanisms

ACM provides system administrators with a way to control which users and processes can access different files, devices, and interfaces. ACM is a major consideration for ensuring the security of computer systems or networks.

ACM provides the following six methods:

1) independent access control: Discretionary Access Control (DAC)

2) Access Control List: access control lists (ACLs)

3) Mandatory Access Control: Mandatory Access Control (MAC)

4) Role-Based Access Control: Role-Based Access Control (RBAC)

5) multi-level security (MLS)

6) multi-class security: multi-category security (MCS)

1.1 independent access control (DAC)

DAC defines basic access control for objects (files, directories, devices, etc.) in the file system, that is, typical file permissions and sharing. This access mechanism is usually determined by the object owner.

1.2 access control list (ACL)

ACL provides further control over which objects can be accessed by a subject (process, user, etc.

1.3 MAC)

Mac is a security mechanism that limits the "control level" that a user (subject) has on the objects it creates ". Unlike DAC, in DAC, users have full control over their own objects (files, directories, devices, etc.), while in Mac, additional labels or categories are added to all file system objects. Before subjects (user or process) Interacts with objects, they must perform proper access to these categories or labels (that is, they must first perform permission judgment ).

Access control is thoroughly implemented. access to all files, directories, and ports is based on policies. These policies are set by the Administrator and generally do not have the right to change.

1.4 Role-Based Access Control (RBAC)

RBAC is a method that allows users to access the file system objects. It is not controlled based on user permissions. The system administrator establishes corresponding roles based on business functional requirements. These roles have different types and access levels for objects.
Compared with DAC and MAC systems, in DAC and MAC systems, users access objects based on their own and object permissions. in RBAC systems, before a user interacts with objects (files, directories, devices, etc.), the user must be a member or role of an appropriate group.

From the perspective of system administrators, RBAC makes it easier to control group members so that users can access what part of the file system.

Only the minimum permission is granted to the user. For users, it is divided into some role. Even the root user, if you are not in sysadm_r, you still cannot perform sysadm_t management operations. This is because the policies set which role can execute and which domain are also set. Role can also be migrated, but it can only be migrated according to the policy.

1.5. Multi-level security (MLS)

Multi-level security (MLS) is a specific security solution for mandatory access control. In this solution, processes are called "subjects", and passive entities of files, directories, sockets, and other operating systems are called "objects ".

1.6. multi-class security (MCS)

Multi-category security (MCS) is an enhanced SELinux that allows users to mark file categories. In SELinux, MCS is the adapter for mlsand reusing the MLS framework.