Unlike traditional autonomous access control, Mandatory Access Control provides higher security. SELinux is a representative of the mandatory access control mechanism. This article describes how to apply this mechanism to manage the file system access permissions of network services, and takes SELinux under Fedora 16 as an example.
1. Introduction to the forced access control mechanism
In traditional access control mechanisms, autonomous access control models are dominant. The system that uses the independent access control discretionary access control (DAC) allows the resource owner to specify which subjects can access the resource. This model is called "autonomous" because access control is determined by the resource owner. In the DAC model, access is restricted based on the permissions granted to the user, which means that the owner of the object has the right to specify the access type for these objects. If an organization uses the DAC model, the network administrator can allow the resource owner to control who can access their files. The most common implementation method in the DAC model is the access control list (ACL), which is specified by the user and implemented by the operating system. Most of the operating systems we use are based on autonomous access control models, such as Windows, Macintosh, and mainstream Unix systems.
In the forced access mandatory access control, MAC) model, the data owner does not decide who can access these files. It is decided by the operating system, and may overwrite the settings of the data owner. This model is more structured and stricter, generally based on the security tag system. The user is assigned a security level secret, etc., and the data is also divided into multiple categories. This type of classification is stored in the security label of the resource. The classification tag specifies the level of credibility required for a user to access a file.
When the system receives an object access request, it makes a decision based on the security level of the subject and the Security category of the object. Rules on how a subject accesses data are formulated by the management, configured and managed by the Administrator, and implemented by the operating system. Security technical support is provided. Security tags are attached to objects. Therefore, each file, directory, and device has its own security tags and classification information. A user may have a Secret) access level. The data he wants to access has a Top Secret) security tag. In this case, the user is denied access because his security level is not equal to or lower than the security category of the object. Currently, the most common MAC system is SELinux developed by the US National Security Agency (NSA) and Secure Computing. In later versions of Linux releases, such as Red Hat Enterprise LinuxRHEL 5, RHEL6, and Fedora 1 to Fedora 16, SELinux is supported.
Ii. How to start and disable SELinux
Start SELinux. The steps for starting and disabling SELinux include: 1) modifying its configuration file; 2) restarting.
First, we need to introduce the main configuration file of SELinux. The main configuration file/etc/selinux/config controls the policy to be loaded during the next startup of the system and the mode in which the system runs. You can use the sestatus command to determine the current SELinux status, the following shows an example of a config file:
SELinux mode is determined by the SELINUX option of the 6th rows in the preceding example): it can be set to enforcing, permissive, or disabled:
1) in enforcing mode, the policy is fully executed. This is the main mode of SELinux and should be used on all operating systems that require enhanced Linux security.
2) In permissive mode, policy rules are not enforced but only audited. In addition, SELinux does not affect system security. This mode is useful when debugging and testing a policy.
3) in the disabled mode, The SELinux kernel mechanism is completely disabled. The system is in the disabled mode only when the policy is loaded before the system starts. This mode is different from the permissive mode. In permissive mode, no access is rejected, but it is only for review. In disabled mode, SELinux does not have any action. In particular, be careful when switching between enforcing and permissive or disabled modes. When the enforcing mode is returned, file tags are usually inconsistent. The Mode settings in The SELinux configuration file are used by init. Configure SELinux before it loads the initial policy.
The following are detailed steps for starting SELinux:
1) edit the configuration file
According to the above introduction, edit and determine the running mode and activity policy of SELinux, as shown in the blacklist section in the configuration file below:
2) run the getenforce command and sestatus command to view the running mode and detailed context information of SELinux:
#/Usr/sbin/getenforce
#/Usr/sbin/sestatus
3) use the root user identity to restart the system:
# Reboot
Similarly, to disable SELinux, set it to "SELINUX = diabled" when editing the configuration file ".
Iii. directory using SELinux policies
In the preceding example, the SELINUXTYPE option in The SELinux configuration file tells init which policy to load during system startup. The set string must match the directory name used to store the binary policy version. For example, the user uses the MLSMulti-Level Security, multi-Level Security) policy. Therefore, the user sets SELINUXTYPE = MLS to ensure that the policy that the user wants the kernel to use is in the/etc/selinux/config file. In the above example, the activity policy defaults to the target policy targeted, as shown in row 10th.
Each policy installed on The SELinux system has its own directory under the/etc/selinux/directory. The subdirectory name corresponds to the Policy Name, such as strict, targeted, and refpolicy ), in The SELinux configuration file, these subdirectory names are used to tell the kernel which policy to load at startup, all the paths mentioned in this chapter are relative to the Domain policy directory path/etc/selinux/[policy, figure 1 shows the simple list output of the/etc/selinux/directory on the latest Fedora 16 system: