1. Referencing the monitorCurrently, most of the main operating system types of access control are called DACS (arbitrary access Control), the characteristics of the DAC mainly refers to the user access to resources permissions. But DAC has some weaknesses, in order to customer service these weaknesses, the Mac was born (mandatory access control). But Mac also has some weaknesses and is not very flexible to use. Then the value that SELinux brings to Linux can be called a flexible, configurable Mac mechanism. Understanding the reference monitor is a great help for us to understand access control, so let's start by understanding the reference monitor schematic, as follows:
Figure 1The advantage of this approach is that it is possible to restrict access to the resources of the Program Access rules, which determine whether the subject has access to the object. In labeling your Linux system, the subject usually refers to the program process, and the object usually represents system resources (such as files, directories, sockets, shared memory, and so on).
2.DAC (discretionary access control)The Linux DAC employs a very simple strategy of dividing the resource visitor into three categories: owner, Group, other, and the resource sets different access rights for these three types of visitors. and access rights are divided into read, write, execute.A visitor is usually a process with its own uid/gid, which is determined by Uid/gid and file permissions matching to determine whether it can be accessed.A DAC is an access control property that allows authorized users to change the object, and most DAC mechanisms are user-identity-based access control properties. Simply put, if a user is authorized to access, meaning that the program is also authorized to access, if the program is authorized to access, then the malicious program will have the same access rights. root permissions are divided into a number of root capabilities (US [, Kep? ') according to different scenarios. B?L?TI] n. Ability (plural of capability), function, performance), which, if there is cap_dac_override, can bypass the Linux DAC limit directly.One of the important points of the Linux DAC is that the root privilege is "lawless" and can do almost anything, and once the intruder has root privileges, it has full control of the system. In addition, each process by default will have all the rights corresponding to this user, you can change/delete In addition to all the file resources of this user, it is obvious that this is difficult to prevent malicious software.
3.MAC (mandatory access control)Linux MAC for the lack of DAC, requires the system for each access, each access to a file resource needs to be targeted validation. This targeted verification is based on a strategy that has already been defined. In Linux Kernel, all MAC mechanisms are built on Linux Based on the Security Modules (LSM).for a Linux DAC, the MAC can make a significant difference to the DAC, restricting root access, even if you have root privileges, and if you can't verify with your Mac, you can't really do the same thing. In addition, a more complete refinement of each permission is available to restrict The user's access behavior to the resource.most common Mac mechanisms implement a multi-layered security model, as follows:
Figure 2In the MLS model, all subjects and objects are labeled with a security level, with a public and secret level, which represent the sensitivity of the data to two levels. In MLS, the subject is always able to read and write objects, in addition to the main object (read down), write to the high-level object (write up). Here we know that MLS is the most fundamental change to access control, no longer the owner (or user) of the data can arbitrarily decide who can access the object.
4.SELinuxSELinux implements a flexible Mac mechanism called type coercion (TE). In a type-enforced policy, all principals and objects have a type representation associated with it. If the subject wants to access the object, then the type of the principal must be authorized to access the object's type, rather than the principal user representation. By default, SELinux does not allow any access, and developers can make rules that specify what the principal can access, so that SELinux can adapt to a very great number of security policies. SELinux is actually a special policy file that covers all the rules that the SELinux kernel will implement, the policy files are compiled from a set of source files, and the selinux between the system and the system is different. During startup, the policy is loaded into the kernel, which is then used by the kernel as the basis for access control.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
1. "SELinux Study notes" background
