In this section we will introduce the kernel object classes available in FC4. Our goal is to describe the object class and to describe how these system resources are mapped to those object classes.
The FC4 system has more than 40 kernel object classes that represent all the resources provided by the kernel. The number of object classes illustrates the idea that the kernel resources are represented as fully and accurately as possible in SELinux. The richness and complexity of Linux means that this exact representation is also necessary to be very rich and complex. His complexity may seem daunting, but it is necessary to make selinux more flexible in addressing the security challenges faced by Linux. Tools and technology use selinux richness to provide complex security features without requiring users to understand the underlying complexities.
To alleviate the understanding, we divide the kernel object class into four classes: file-related, network-related, System V IPC, and others.
4.3.1 file Related object class
The category of the first object class is those related to the file and other resources stored on the file system. These are very familiar to most users. Included in this category are those object classes that are related to persistent, disk-like file systems and in-memory file systems, such as Proc or SYSFS.
A basic concept in Unix-like systems is that "everything is a file", which is correct in many ways. But it obscures the fact that not all documents are the same. In fact, in modern Unix-like systems, such as Linux, there are special files for devices and IPC, in addition to the standard files used for data storage. SELinux actually represents a more granular attempt at the kernel. The following summarizes the file-related object classes.
| Object class | Description |
|---|---|
| Blk_file | Block file |
| Chr_file | Character file |
| Dir | Directory |
| Fd | File descriptor |
| Fifo_file | Famous pipes |
| File | Normal file |
| FileSystem | File system |
| Lnk_file | Link file |
| Sock_file | UNIX domain sockets |
The object class file and Dir represent ordinary files and directories, respectively. Ordinary files are the files that store data; he is the most common in most systems. A directory is a special file on a Linux system, and he is unique because they contain other entities.
The Lnk_file object class represents a symbolic link. In many cases it is important to differentiate between regular files and symbolic links to prevent public attacks. Malicious programs and users can create a symbolic link that will cause a process to access or modify files other than those intended. The detached Link_file object class allows you to write strategies to block this type of attack.
Object classes Fifo_file and Sock_file represent special documents that are used in IPC. The Filo_file object class represents a pipeline file, also known as a famous pipe. The Sock_file object class controls the ability to create, access, and other file-related entities associated with UNIX domain sockets.
In the next section we discuss UNIX's Domain sockets object classes and their associated socket files.
In Linux, devices are mounted to the/dev/directory in a special file format. These files represent fast devices and character devices through the maximum and minimum device numbers. A character device is a device in which internal data can flow into and out of a byte stream. A block device is a device whose internal data requires a larger block for delivery. Chr_file and Blk_file represent character devices and block devices, respectively.
The last two object classes in this category are file systems and file descriptors, both of which are not typical entities in Linux. The FileSystem object class represents a mounted file system. This object class controls global operations, such as mounting or querying references. For example, using the file system object class, we can only allow file system mounts that support the security context store. All specific types of file systems use the Fs_use statement in the policy to get a default label, which is described as "object label." The default type may be overloaded when the partition above Mount option is mounted.
A file descriptor is a handle that represents an open file-related object that is stored in a process. Although unlike file-related objects, they represent the data structures in the kernel, it is common to consider file descriptors as underlying file-related objects. It is true that access control for standard Linux does not provide access control for file descriptors individually. This ignores the fact that the file descriptor is a different resource and can be passed between processes, mostly when a child inherits from the file descriptor from his parents. This inheritance is not always ideal, and it seems that many Linux program instructions warn of reducing the inheritance of file descriptors, especially daemons. In order to solve this problem and some other problems, we have an FD object class, which represents the file descriptor in SELinux. Using this object class, this may be able to prevent file descriptors from being passed and inherited between processes. We need to know that when accessing the underlying file-related objects, the permission to use a file descriptor is insufficient. The process must also have other related permissions on the underlying object.
4.3.2 Network Related object class
Network-related object classes represent network resources such as network interfaces, various types of sockets, and hosts. On a single system, the current object class has been sufficiently accessible to allow complex access to the network. Better in this area, such as tagged network packets, may be developed later. The following table summarizes the object classes associated with the network and sockets.
| Object class | Description |
|---|---|
| Association | IPSEC Security Association |
| Key_socket | Protocol family Pf_key socket, used for key management in IPSec |
| Netif | Network interface (for example, eth0) |
| Netlink_audit_socket | Control Audit NetLink sockets |
| Netlink_dnrt_socket | Control DECnet Routing Sockets |
| Netlink_firewall_socket | Create a user space fire period filter NetLink socket |
| Netlink_ip6fw_socket | Create a user space fire period filter NetLink socket |
| Netlink_kobject_uevent_socket | Accept kernel Event notification NetLink socket in user space |
| Netlink_nflog_socket | Accept Network Filter log information NetLink sockets |
| Netlink_route_socket | NetLink sockets that control and manage network resources such as routing tables and IP addresses |
| Netlink_selinux_socket | NetLink sockets that accept policy loading, force policy triggering, and AVC cache emptying notifications |
| Netlink_tcpdiag_socket | Monitoring TCP connections NetLink sockets |
| Netlink_socket | All other NetLink sockets |
| Netlink_xfrm_socket | Get, maintain, and set IPSec parameters NetLink sockets |
| Node | Hosts that are represented by an IP address and a range of addresses |
| Packet_socket | The original socket that the protocol implements in the user space |
| Rawip_socket | IP sockets that are neither TCP nor UDP |
| Socket | All other sockets |
| Tcp_socket | TCP sockets |
| Udp_socket | UDP sockets |
| Unix_dgram_socket | IPC datagram sockets on the local machine |
| Unix_stream_socket | IPC flow sockets on the local machine |
node, netif, Packet_socket, Rawip_socket, Tcp_socket, Udp_socket, and socket object classes control access to the network. The Netif object class represents the network interface. Each named network interface is represented by an instance of the Netif object class. A remote host on the network is represented by an IP address and an address within a range, as indicated by the Node object class. By using the Node object class, we can restrict which process the host interacts with on the network. The various object classes listed above represent a variety of sockets that are separated by the protocol. Successfully sending or receiving network data requires permissions related to instances of the Netif,node and socket object classes.
Standard network sockets are separated by protocol (when created, determined by the socket (2) system call). Different socket object classes allow us to restrict whether an application can send or receive a type of packet. This is especially useful when restricting the process of sending raw packets. The object class Tcp_socket and Udp_socket object classes represent TCP and UDP sockets respectively. Rawip_socket represents the socket that sends the original IP datagram, and the Packet_socket object class represents the socket that sends any type of original datagram. All other sockets are represented by the socket object class.
Communication using IPSec has additional resources represented by the Object Class Association and Key_socket. An IPSec security link is a connection that he undertakes in the security services of the path in which it resides. The association object class represents an IPSec connection. IPSec needs to manage the keys through a key management socket, which is represented by the Key_socket object class.
Local communication in a Linux box can be done using UNIX domain sockets (Pf_unix). These sockets are often used for local IPCS. A connection-oriented socket, also known as a stream socket, is represented by the Unix_stream_socket object class. The datagram socket is represented by the Unix_dgram_socket object class. UNIX's domain sockets can be associated with a particular file in a file system to allow other apps to easily connect to the socket. This file is represented by the Sock_file object class, and this sock_file is the object class related to the file described earlier.
The last group of sockets is the netlink socket. These sockets are just beginning to be designed to provide a standard way to configure the network in Linux. They are now being used to communicate information between the kernel and the user space. There are many object classes that represent NetLink sockets based on protocol types, and commonly used netlink_socket are used for any other protocol that does not have a specific object class.
4.3.3 System V IPC object class
The IPC-related object class represents the system V IPC resources. The Msgq and MSG object classes represent information in information queues and information queues. The object class of SEM represents the signal volume. The SHM object class represents the shared memory segment. Note Access to global System information about all system V IPC Resources is controlled by permissions on the system class.
The following is an IPC-related object class
| Object class | Description |
|---|---|
| Ipc | No longer used |
| Msg | Information in the information queue |
| Msgq | Information queue |
| Sem | Signal Volume |
| Shm | Shared memory Segments |
4.3.4 Other object classes
The following table lists the remaining object classes that are not easily included in other categories.
| Object class | Description |
|---|---|
| Capability | Privileges that is implemented as capabilities in Linux |
| Process | is also the object in SELinux. |
| Security | SELinux Secure Server in the kernel |
| System | As a whole system. |
The Capability object class represents the ability to process in a standard Linux access control model. This object class allows SELinux to control
The ability to grant the "root" process. Examples of these capabilities include the ability to rewrite the DAC (permission mode) and the ability to send an acoustic network datagram. This object class and his corresponding permissions allow control over the ability of a process to use a standard Linux authorization.
The remaining two object classes, security, and system, respectively, represent access to the SELinux security server and special files for the system. They are unique because there is only one instance of their object class, reflecting only a secure server and system.
Copyright NOTICE: Hello, reprint please leave my blog address, thank you
4.3 What are the object classes available now?
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
